mpv through 0.28.0 allows remote attackers to execute arbitrary code via a
crafted web site, because it reads HTML documents containing VIDEO
elements, and accepts arbitrary URLs in a src attribute without a protocol
whitelist in player/lua/ytdl_hook.lua. For example, an
av://lavfi:ladspa=file= URL signifies that the product should call dlopen
on a shared object file located at an arbitrary local pathname. The issue
exists because the product does not consider that youtube-dl can provide a
potentially unsafe URL.
Source: mpv (LP Ubuntu Debian)
Upstream:released (0.27.0-3)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (0.27.2-1ubuntu1)
Ubuntu 19.04 (Disco Dingo):released (0.27.2-1ubuntu1)
Ubuntu 19.10 (Eoan):released (0.27.2-1ubuntu1)
More Information

Updated: 2019-10-18 02:41:42 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)