Bug#998419: kodi: CVE-2021-42917

To: Vasyl Gello <vasek.gello@gmail.com>, 998419@bugs.debian.org
Subject: Bug#998419: kodi: CVE-2021-42917
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Nov 2021 06:44:08 +0100
Message-id: <[🔎] YYNzKNP8sooIBW0S@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 998419@bugs.debian.org
In-reply-to: <[🔎] 6C4E06AF-35A8-4D89-BAEC-E3E43057A81F@gmail.com>
References: <[🔎] 163597581179.2571127.7153330921152450367.reportbug@eldamar.lan> <[🔎] 163597581179.2571127.7153330921152450367.reportbug@eldamar.lan> <[🔎] 6C4E06AF-35A8-4D89-BAEC-E3E43057A81F@gmail.com> <[🔎] 163597581179.2571127.7153330921152450367.reportbug@eldamar.lan>

Hi Vasyl,

On Wed, Nov 03, 2021 at 10:05:01PM +0000, Vasyl Gello wrote:
> Control: fixed -1 2:19.3+dfsg1-1
> Control: found -1 2:19.1+dfsg2-2~bpo10+1-1
> 
> Hi Salvatore!
> 
> This bug was fixed in 19.3 upstream, and the sid/bookworm version is not vulnerable.

Yes you are right, that was an error on my side, checking the source,
upstream commit and where the fix was included, thanks for correcting,
and apologies for the bad tracking at first. I double checked what
happened, and it was defintively that I got confused about the
inclusion from the upstream commit and not realizing it is in 19.3
already.

> I would like to upload 19.3 to stable-pu or stable-sec but the
> approval from SRM is pending for 19.2.
> 
> Is it possible to upload 2:19.3+dfsg1-1 to stable-sec as a whole package?
> Or I have to apply the patch for 2:19.1+dfsg2-2 and upload -3?

I'm not yet sure the issue would warrant a security update per se, but
the question can be answered for both DSA and update via a point
release: 2:19.3+dfsg1-1 could not enter directly bullseye. If you do a
rebase to the 19.3 upstream then this would be either a "rebuild"
approach 2:19.3+dfsg1-1~deb11u1 (if no other changes to packaging to
be done) or if you import 19.3 on top of the current bullseye
packaging because there were other changes not suitable in meanwhile,
then 2:19.3+dfsg1-0+deb11u1 to have it sorting before 2:19.3+dfsg1-1.

The general strategy is to cherry-pick commits, but as you know there
are some sources with exceptions to that rule for stable updates,
firefox, linux, mariadb, php, ffmpeg are such cases, and they have
some guarantee from CI and testsuies, promises about stabilities
(e.g. no new features, bugfix only branches, etc ...).

If you are discussing this already with SRM then this is indeed the
way to go to see if they agree on your proposal to follow the 19.x
series for kodi for bullseye.

Samewise for buster, by cherry-picking the fix, be it for an upcoming
point release or a DSA.

I cannot answer the question for stretch directly, but I see that LTS
will would like to issue a DLA for it.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#998419: kodi: CVE-2021-42917
  - From: Vasyl Gello <vasek.gello@gmail.com>

References:
- Bug#998419: kodi: CVE-2021-42917
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#998419: kodi: CVE-2021-42917
  - From: Vasyl Gello <vasek.gello@gmail.com>

Prev by Date: Processed: Re: segfault in av1_cyclic_refresh_free()
Next by Date: Bug#998419: kodi: CVE-2021-42917
Previous by thread: Bug#998419: kodi: CVE-2021-42917
Next by thread: Bug#998419: kodi: CVE-2021-42917
Index(es):
- Date
- Thread