Your message dated Sat, 27 May 2017 21:54:19 +0200
with message-id <[email protected]>
and subject line Re: unblock: kodi/2:17.1+dfsg1-3
has caused the Debian Bug report #863476,
regarding unblock: kodi/2:17.1+dfsg1-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
863476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863476
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear Release Team,
Please unblock the kodi update which fixes a security issue:
Changes:
kodi (2:17.1+dfsg1-3) unstable; urgency=medium
.
* Fix zip file directory traversal vulnerability (CVE-2017-8314)
(Closes: #863230)
Please find the debdiff attached.
Cheers,
Balint
--
Balint Reczey
Debian & Ubuntu Developer
diff -Nru kodi-17.1+dfsg1/debian/changelog kodi-17.1+dfsg1/debian/changelog
--- kodi-17.1+dfsg1/debian/changelog 2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/changelog 2017-05-27 02:49:58.000000000 +0200
@@ -1,3 +1,10 @@
+kodi (2:17.1+dfsg1-3) unstable; urgency=medium
+
+ * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+ (Closes: #863230)
+
+ -- Balint Reczey <[email protected]> Sat, 27 May 2017 00:50:34 +0200
+
kodi (2:17.1+dfsg1-2) unstable; urgency=medium
* Upload to unstable
diff -Nru kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,107 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <[email protected]>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp | 3 ++-
+ xbmc/filesystem/ZipManager.h | 3 +++
+ xbmc/filesystem/test/CMakeLists.txt | 3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+diff --git a/xbmc/filesystem/ZipManager.cpp b/xbmc/filesystem/ZipManager.cpp
+index df6220b..f2c6973 100644
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -199,7 +199,8 @@ bool CZipManager::GetZipList(const CURL& url, std::vector<SZipEntry>& items)
+ // Jump after central file header extra field and file comment
+ mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+
+- items.push_back(ze);
++ if (!std::regex_search(strName, PATH_TRAVERSAL))
++ items.push_back(ze);
+ }
+
+ /* go through list and figure out file header lengths */
+diff --git a/xbmc/filesystem/ZipManager.h b/xbmc/filesystem/ZipManager.h
+index 551fe5d..93243b9 100644
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+
+ class CURL;
+
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+ unsigned int header;
+ unsigned short version;
+diff --git a/xbmc/filesystem/test/CMakeLists.txt b/xbmc/filesystem/test/CMakeLists.txt
+index 5d77633..5be4e3d 100644
+--- a/xbmc/filesystem/test/CMakeLists.txt
++++ b/xbmc/filesystem/test/CMakeLists.txt
+@@ -2,6 +2,7 @@ set(SOURCES TestDirectory.cpp
+ TestFile.cpp
+ TestFileFactory.cpp
+ TestRarFile.cpp
+- TestZipFile.cpp)
++ TestZipFile.cpp
++ TestZipManager.cpp)
+
+ core_add_test_library(filesystem_test)
+diff --git a/xbmc/filesystem/test/TestZipManager.cpp b/xbmc/filesystem/test/TestZipManager.cpp
+new file mode 100644
+index 0000000..b72dbb6
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (C) 2017 Team XBMC
++ * http://xbmc.org
++ *
++ * This Program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2, or (at your option)
++ * any later version.
++ *
++ * This Program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with XBMC; see the file COPYING. If not, see
++ * <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++ ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++ ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
+--
+2.7.4
+
diff -Nru kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,23 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+ TestFileFactory.cpp \
+ TestNfsFile.cpp \
+ TestRarFile.cpp \
+- TestZipFile.cpp
++ TestZipFile.cpp \
++ TestZipManager.cpp
+
+ LIB=filesystemTest.a
+
+--- a/xbmc/filesystem/test/TestZipManager.cpp
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -18,7 +18,7 @@
+ *
+ */
+
+-#include "filesystem/ZipManager.h"
++#include "xbmc/filesystem/ZipManager.h"
+
+ #include "gtest/gtest.h"
+
diff -Nru kodi-17.1+dfsg1/debian/patches/series kodi-17.1+dfsg1/debian/patches/series
--- kodi-17.1+dfsg1/debian/patches/series 2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/patches/series 2017-05-27 02:49:58.000000000 +0200
@@ -1,6 +1,7 @@
0001-c-pluff-Fix-format-string-warnings.patch
0003-Revert-droid-fix-builds-with-AML-disabled.patch
0004-Allocate-and-free-AVFrames-with-the-proper-FFmpeg-AP.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
01_reproducible_build.patch
02_allow_all_arches.patch
03-privacy.patch
@@ -15,6 +16,7 @@
14-ignore-test-results.patch
15-dont-use-openssl.patch
16-fix-alpha-build.patch
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch
libdvdnav-0001-xbmc-dvdnav-allow-get-set-vm-state.patch
libdvdnav-0002-xbmc-dvdnav-expose-dvdnav_get_vm-dvdnav_get_button_i.patch
libdvdnav-0003-xbmc-dvdnav-detection-of-dvd-name.patch
--- End Message ---
--- Begin Message ---
Hi,
On Sat, May 27, 2017 at 02:23:59PM +0200, Balint Reczey wrote:
> Please unblock the kodi update which fixes a security issue:
Unblocked by Niels.
Cheers,
Ivo
--- End Message ---
