diff options
author | Reinhard Tartler <siretart@tauware.de> | 2020-07-18 18:02:00 -0400 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2020-07-18 18:02:00 -0400 |
commit | 3b52150eed39653c009ecf6474a5eccb7655f149 (patch) | |
tree | 60ae1bc8e2577713b17cfd574fc86e74fc0020a6 | |
parent | c13ec496fa27736961a5bff5353ecf16ff51d101 (diff) |
Bug fix: "unintended code execution vulnerability", thanks to astian (Closes: #950816). Patch backported from upstreamdebian/0.32.0-2
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/08_lua_security.patch | 71 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 79 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 880247d..4880c45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +mpv (0.32.0-2) unstable; urgency=medium + + * Bug fix: "unintended code execution vulnerability", thanks to astian + (Closes: #950816). Patch backported from upstream + + -- Reinhard Tartler <siretart@tauware.de> Sat, 18 Jul 2020 18:01:43 -0400 + mpv (0.32.0-1) unstable; urgency=medium [ James Cowgill ] diff --git a/debian/patches/08_lua_security.patch b/debian/patches/08_lua_security.patch new file mode 100644 index 0000000..e54b299 --- /dev/null +++ b/debian/patches/08_lua_security.patch @@ -0,0 +1,71 @@ +From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001 +From: astian <astian@e-nautia.com> +Date: Mon, 11 Feb 2020 21:08:51 +0000 +Subject: [PATCH] lua: fix unintended code execution vulnerability + +Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6 +("lua: fix highly security relevant arbitrary code execution") to +release 0.32.0. + +Note: Before release 0.32.0, it used to be that mpv-related scripts +directories where added to Lua's module-loaders search path. This +behaviour was dropped in 0.32.0 (bc1c024ae032). Later, a similar but +stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c). +The original commit on which this patch is based depended on the new +behaviour. This backport retains the 0.32.0 behaviour; all it does is +filter out relative paths from "package.path" and "package.cpath" for +all Lua scripts. +--- + player/lua.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/player/lua.c ++++ b/player/lua.c +@@ -273,6 +273,36 @@ + return 0; + } + ++static void fuck_lua(lua_State *L, const char *search_path) ++{ ++ void *tmp = talloc_new(NULL); ++ ++ lua_getglobal(L, "package"); // package ++ lua_getfield(L, -1, search_path); // package search_path ++ bstr path = bstr0(lua_tostring(L, -1)); ++ char *newpath = talloc_strdup(tmp, ""); ++ ++ // Unbelievable but true: Lua loads .lua files AND dynamic libraries from ++ // the working directory. This is highly security relevant. ++ // Lua scripts are still supposed to load globally installed libraries, so ++ // try to get by by filtering out any relative paths. ++ while (path.len) { ++ bstr item; ++ bstr_split_tok(path, ";", &item, &path); ++ if (bstr_startswith0(item, "/")) { ++ newpath = talloc_asprintf_append(newpath, "%s%.*s", ++ newpath[0] ? ";" : "", ++ BSTR_P(item)); ++ } ++ } ++ ++ lua_pushstring(L, newpath); // package search_path newpath ++ lua_setfield(L, -3, search_path); // package search_path ++ lua_pop(L, 2); // - ++ ++ talloc_free(tmp); ++} ++ + static int run_lua(lua_State *L) + { + struct script_ctx *ctx = lua_touserdata(L, -1); +@@ -326,6 +356,10 @@ + + assert(lua_gettop(L) == 0); + ++ fuck_lua(L, "path"); ++ fuck_lua(L, "cpath"); ++ assert(lua_gettop(L) == 0); ++ + // run this under an error handler that can do backtraces + lua_pushcfunction(L, error_handler); // errf + lua_pushcfunction(L, load_scripts); // errf fn diff --git a/debian/patches/series b/debian/patches/series index dda1dd6..64961bd 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 05_add-keywords.patch 06_ffmpeg-abi.patch 07_io-stdin-used.patch +08_lua_security.patch |