CVE-2020-19824

NameCVE-2020-19824
DescriptionAn issue in MPV v.0.29.1 fixed in v0.30 allows attackers to execute arbitrary code and crash program via the ao_c parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3358-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mpv (PTS)jessie0.6.2-2vulnerable
stretch (security), stretch (lts), stretch0.23.0-2+deb9u2vulnerable
buster (security), buster, buster (lts)0.29.1-1+deb10u1fixed
bullseye0.32.0-3fixed
bookworm0.35.1-4fixed
sid, trixie0.38.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mpvsourcejessie(unfixed)end-of-life
mpvsourcestretch(unfixed)end-of-life
mpvsourcebuster0.29.1-1+deb10u1DLA-3358-1
mpvsource(unstable)0.30.0-1

Notes

https://github.com/mpv-player/mpv/issues/6808
https://github.com/mpv-player/mpv/commit/5858e3cdbd6fbae3ed80366912dd5df0af4fa126 (v0.30.0)

Search for package or bug name: Reporting problems