| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 03_waf.patch | Provide waf and related scripts Note that, since upstream does not directly provide a compressed waf script, there's no need for us to repack the upstream tarball. |
James Cowgill <jcowgill@debian.org> | not-needed | vendor | 2017-07-19 | |
| 05_add-keywords.patch | Add keywords to desktop file | Mateusz Ĺukasik <mati75@linuxmint.pl> | no | |||
| 06_ffmpeg-abi.patch | Suppress ffmpeg version mismatch error Requiring an exact ffmpeg version is usually not a good idea in a binary distribution because: - All FFmpeg security updates require a subsequent binNMU of mpv. - Debian generated dependencies do not capture this dependency well (at least without extra hacking). - The requirement itself usually indicates an ABI violation. For these reasons, remove the check and assume the current FFmpeg version is compatible. |
James Cowgill <jcowgill@debian.org> | no | debian | ||
| 07_io-stdin-used.patch | Add _IO_stdin_used to mpv version script This symbol is used on some architectures by glibc to determine whether the calling executable is linked with the old libio ABI or the new libio ABI. All new executables are supposed to have it defined. Unfortunately, if the version script does not allow this symbol to be exported, glibc will try to use the old ABI and cause chaos (crashes in various places). |
James Cowgill <jcowgill@debian.org> | no | |||
| 08_lua_security.patch | [PATCH] lua: fix unintended code execution vulnerability Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6 ("lua: fix highly security relevant arbitrary code execution") to release 0.32.0. directories where added to Lua's module-loaders search path. This behaviour was dropped in 0.32.0 (bc1c024ae032). Later, a similar but stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c). The original commit on which this patch is based depended on the new behaviour. This backport retains the 0.32.0 behaviour; all it does is filter out relative paths from "package.path" and "package.cpath" for all Lua scripts. |
astian <astian@e-nautia.com> | no | 2020-02-11 | ||
| 0006-demux_mf-improve-format-string-processing.patch | demux_mf: improve format string processing Before this commit, the user could specify a printf format string which wasn't verified, and could result in: - Undefined behavior due to missing or non-matching arguments. - Buffer overflow due to untested result length. The offending code was added at commit 103a9609 (2002, mplayer svn): It moved around but was not modified meaningfully until now. Now we reject all conversion specifiers at the format except %% and a simple subset of the valid specifiers. Also, we now use snprintf to avoid buffer overflow. The format string is provided by the user as part of mf:// URI. Report and initial patch by Stefan Schiller. Patch reviewed by @jeeb, @sfan5, Stefan Schiller. (cherry picked from commit cb3fa04bcb2ba9e0d25788480359157208c13e0b) |
"Avi Halachmi (:avih)" <avihpit@yahoo.com> | no | 2021-04-25 |