Bug fix: "unintended code execution vulnerability", thanks to astian (Closes: #950816). Patch backported from upstreamdebian/0.32.0-2

3 files changed, 79 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 880247d..4880c45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+mpv (0.32.0-2) unstable; urgency=medium
+
+  * Bug fix: "unintended code execution vulnerability", thanks to astian
+    (Closes: #950816). Patch backported from upstream
+
+ -- Reinhard Tartler <siretart@tauware.de>  Sat, 18 Jul 2020 18:01:43 -0400
+
 mpv (0.32.0-1) unstable; urgency=medium
 
   [ James Cowgill ]
diff --git a/debian/patches/08_lua_security.patch b/debian/patches/08_lua_security.patch
new file mode 100644
index 0000000..e54b299
--- /dev/null
+++ b/debian/patches/08_lua_security.patch
@@ -0,0 +1,71 @@
+From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001
+From: astian <astian@e-nautia.com>
+Date: Mon, 11 Feb 2020 21:08:51 +0000
+Subject: [PATCH] lua: fix unintended code execution vulnerability
+
+Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6
+("lua: fix highly security relevant arbitrary code execution") to
+release 0.32.0.
+
+Note:  Before release 0.32.0, it used to be that mpv-related scripts
+directories where added to Lua's module-loaders search path.  This
+behaviour was dropped in 0.32.0 (bc1c024ae032).  Later, a similar but
+stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c).
+The original commit on which this patch is based depended on the new
+behaviour.  This backport retains the 0.32.0 behaviour; all it does is
+filter out relative paths from "package.path" and "package.cpath" for
+all Lua scripts.
+---
+ player/lua.c | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+--- a/player/lua.c
++++ b/player/lua.c
+@@ -273,6 +273,36 @@
+     return 0;
+ }
+ 
++static void fuck_lua(lua_State *L, const char *search_path)
++{
++    void *tmp = talloc_new(NULL);
++
++    lua_getglobal(L, "package"); // package
++    lua_getfield(L, -1, search_path); // package search_path
++    bstr path = bstr0(lua_tostring(L, -1));
++    char *newpath = talloc_strdup(tmp, "");
++
++    // Unbelievable but true: Lua loads .lua files AND dynamic libraries from
++    // the working directory. This is highly security relevant.
++    // Lua scripts are still supposed to load globally installed libraries, so
++    // try to get by by filtering out any relative paths.
++    while (path.len) {
++        bstr item;
++        bstr_split_tok(path, ";", &item, &path);
++        if (bstr_startswith0(item, "/")) {
++            newpath = talloc_asprintf_append(newpath, "%s%.*s",
++                                             newpath[0] ? ";" : "",
++                                             BSTR_P(item));
++        }
++    }
++
++    lua_pushstring(L, newpath);  // package search_path newpath
++    lua_setfield(L, -3, search_path); // package search_path
++    lua_pop(L, 2);  // -
++
++    talloc_free(tmp);
++}
++
+ static int run_lua(lua_State *L)
+ {
+     struct script_ctx *ctx = lua_touserdata(L, -1);
+@@ -326,6 +356,10 @@
+ 
+     assert(lua_gettop(L) == 0);
+ 
++    fuck_lua(L, "path");
++    fuck_lua(L, "cpath");
++    assert(lua_gettop(L) == 0);
++
+     // run this under an error handler that can do backtraces
+     lua_pushcfunction(L, error_handler); // errf
+     lua_pushcfunction(L, load_scripts); // errf fn
diff --git a/debian/patches/series b/debian/patches/series
index dda1dd6..64961bd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 05_add-keywords.patch
 06_ffmpeg-abi.patch
 07_io-stdin-used.patch
+08_lua_security.patch