1 files changed, 0 insertions, 91 deletions
diff --git a/multimedia/mythtv/files/patch-CVE-2017-09993a b/multimedia/mythtv/files/patch-CVE-2017-09993a
deleted file mode 100644
index 4233ec7558e2..000000000000
--- a/multimedia/mythtv/files/patch-CVE-2017-09993a
+++ /dev/null
@@ -1,91 +0,0 @@
-From 25dac3128b605f2867e3e0f0288b896f84d3a033 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Sat, 3 Jun 2017 21:20:04 +0200
-Subject: [PATCH] avformat/hls: Check local file extensions
-
-This reduces the attack surface of local file-system
-information leaking.
-
-It prevents the existing exploit leading to an information leak. As
-well as similar hypothetical attacks.
-
-Leaks of information from files and symlinks ending in common multimedia extensions
-are still possible. But files with sensitive information like private keys and passwords
-generally do not use common multimedia filename extensions.
-It does not stop leaks via remote addresses in the LAN.
-
-The existing exploit depends on a specific decoder as well.
-It does appear though that the exploit should be possible with any decoder.
-The problem is that as long as sensitive information gets into the decoder,
-the output of the decoder becomes sensitive as well.
-The only obvious solution is to prevent access to sensitive information. Or to
-disable hls or possibly some of its feature. More complex solutions like
-checking the path to limit access to only subdirectories of the hls path may
-work as an alternative. But such solutions are fragile and tricky to implement
-portably and would not stop every possible attack nor would they work with all
-valid hls files.
-
-Developers have expressed their dislike / objected to disabling hls by default as well
-as disabling hls with local files. There also where objections against restricting
-remote url file extensions. This here is a less robust but also lower
-inconvenience solution.
-It can be applied stand alone or together with other solutions.
-limiting the check to local files was suggested by nevcairiel
-
-This recommits the security fix without the author name joke which was
-originally requested by Nicolas.
-
-Found-by: Emil Lerner and Pavel Cheremushkin
-Reported-by: Thierry Foucu <tfoucu@google.com>
-
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
----
- libavformat/hls.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git libavformat/hls.c libavformat/hls.c
-index 2bf86fadc64..ffefd284f86 100644
---- external/FFmpeg/libavformat/hls.c
-+++ external/FFmpeg/libavformat/hls.c
-@@ -204,6 +204,7 @@ typedef struct HLSContext {
-     char *http_proxy;                    ///< holds the address of the HTTP proxy server
-     AVDictionary *avio_opts;
-     int strict_std_compliance;
-+    char *allowed_extensions;
- } HLSContext;
- 
- static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
-@@ -618,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
-         return AVERROR_INVALIDDATA;
- 
-     // only http(s) & file are allowed
--    if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
-+    if (av_strstart(proto_name, "file", NULL)) {
-+        if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) {
-+            av_log(s, AV_LOG_ERROR,
-+                "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n"
-+                "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n",
-+                url);
-+            return AVERROR_INVALIDDATA;
-+        }
-+    } else if (av_strstart(proto_name, "http", NULL)) {
-+        ;
-+    } else
-         return AVERROR_INVALIDDATA;
-+
-     if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
-         ;
-     else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
-@@ -2127,6 +2139,10 @@ static int hls_probe(AVProbeData *p)
- static const AVOption hls_options[] = {
-     {"live_start_index", "segment index to start live streams at (negative values are from the end)",
-         OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS},
-+    {"allowed_extensions", "List of file extensions that hls is allowed to access",
-+        OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
-+        {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
-+        INT_MIN, INT_MAX, FLAGS},
-     {NULL}
- };
-