mpv: Remote code execution

mpv: Remote code execution A vulnerability has been found in mpv that may allow a remote attacker to execute arbitrary code. mpv 2018-05-14 2018-05-14 646886 local, remote 0.27.2 0.27.2

Video player based on MPlayer/mplayer2

A vulnerability was discovered in mpv with the handling of HTML documents containing VIDEO elements. Additionally, mpv accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua.

A remote attacker, by enticing the user to visit a specially crafted web site, could execute arbitrary code.

There is no known workaround at this time.

All mpv users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=media-video/mpv-0.27.2"

CVE-2018-6360 jmbailey jmbailey