mpv: Remote code execution — GLSA 201805-05

A vulnerability has been found in mpv that may allow a remote attacker to execute arbitrary code.

Affected Packages

media-video/mpv on all architectures
Affected versions < 0.27.2
Unaffected versions >= 0.27.2

Background

Video player based on MPlayer/mplayer2

Description

A vulnerability was discovered in mpv with the handling of HTML documents containing VIDEO elements. Additionally, mpv accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua.

Impact

A remote attacker, by enticing the user to visit a specially crafted web site, could execute arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All mpv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/mpv-0.27.2"
 

References

Release Date
May 14, 2018

Latest Revision
May 14, 2018: 1

Severity
high

Exploitable
local, remote

Bugzilla entries