Backports exception for kodi 16.1+dfsg1-2~bpo8+2
Dear Backports Team,
Kodi recently fixed an important security issue in 17.3 and I would
like to ask for permission
to update backports' 16.1 version with only a targeted fix instead of
pulling in 17.x.
Changes:
kodi (16.1+dfsg1-2~bpo8+2) jessie-backports; urgency=medium
.
* Fix zip file directory traversal vulnerability (CVE-2017-8314)
(Closes: #863230)
* Add test for CVE-2017-8314 to autotools-based build
I'm open to updating kodi to 17.x, too, in backports later, but it
includes updating many reverse
dependencies and may add regressions from 16.1 which is why I have not
updated the packages
yet.
Thanks,
Balint
diff -Nru kodi-16.1+dfsg1/debian/changelog kodi-16.1+dfsg1/debian/changelog
--- kodi-16.1+dfsg1/debian/changelog 2016-09-26 22:52:48.000000000 +0200
+++ kodi-16.1+dfsg1/debian/changelog 2017-05-29 11:48:11.000000000 +0200
@@ -1,3 +1,11 @@
+kodi (16.1+dfsg1-2~bpo8+2) jessie-backports; urgency=medium
+
+ * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+ (Closes: #863230)
+ * Add test for CVE-2017-8314 to autotools-based build
+
+ -- Balint Reczey <rbalint@ubuntu.com> Mon, 29 May 2017 11:42:30 +0200
+
kodi (16.1+dfsg1-2~bpo8+1) jessie-backports; urgency=medium
* Rebuild for jessie-backports.
diff -Nru kodi-16.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-16.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-16.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-16.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 2017-05-29 11:48:11.000000000 +0200
@@ -0,0 +1,84 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <Rechi@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp | 3 ++-
+ xbmc/filesystem/ZipManager.h | 3 +++
+ xbmc/filesystem/test/CMakeLists.txt | 3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -198,7 +198,8 @@
+ // Jump after central file header extra field and file comment
+ mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+
+- items.push_back(ze);
++ if (!std::regex_search(strName, PATH_TRAVERSAL))
++ items.push_back(ze);
+ }
+
+ /* go through list and figure out file header lengths */
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+
+ class CURL;
+
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+ unsigned int header;
+ unsigned short version;
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (C) 2017 Team XBMC
++ * http://xbmc.org
++ *
++ * This Program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2, or (at your option)
++ * any later version.
++ *
++ * This Program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with XBMC; see the file COPYING. If not, see
++ * <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++ ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++ ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
diff -Nru kodi-16.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-16.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-16.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-16.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 2017-05-29 11:48:11.000000000 +0200
@@ -0,0 +1,12 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+ TestFileFactory.cpp \
+ TestNfsFile.cpp \
+ TestRarFile.cpp \
+- TestZipFile.cpp
++ TestZipFile.cpp \
++ TestZipManager.cpp
+
+ LIB=filesystemTest.a
+
diff -Nru kodi-16.1+dfsg1/debian/patches/series kodi-16.1+dfsg1/debian/patches/series
--- kodi-16.1+dfsg1/debian/patches/series 2016-09-26 22:52:48.000000000 +0200
+++ kodi-16.1+dfsg1/debian/patches/series 2017-05-29 11:48:11.000000000 +0200
@@ -2,6 +2,7 @@
0002-core-added-arm64-support-to-GetKernelCpuFamily.patch
0003-core-added-s390x-support-to-system-info.patch
0004-core-Make-GetKernelBitness-return-64-for-s390x.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
01_reproducible_build.patch
02_allow_all_arches.patch
03-privacy.patch
@@ -17,3 +18,4 @@
14-ignore-test-results.patch
14-gcc6-cximage-fixes.patch
15-disable-failing-webserver-tests.patch
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch
Reply to: