Bug#998419: kodi: CVE-2021-42917

To: Debian Bug Tracking System <998419@bugs.debian.org>
Subject: Bug#998419: kodi: CVE-2021-42917
From: Vasyl Gello <vasek.gello@gmail.com>
Date: Thu, 04 Nov 2021 15:32:49 +0000
Message-id: <[🔎] 163603996893.1695.15591884645809149181.reportbug@debian-development>
Reply-to: Vasyl Gello <vasek.gello@gmail.com>, 998419@bugs.debian.org
References: <[🔎] 163597581179.2571127.7153330921152450367.reportbug@eldamar.lan>

Source: kodi
Followup-For: Bug #998419
X-Debbugs-Cc: carnil@debian.org

Hi Salvatore!

I have prepared the 2:19.1+dfsg2-3~deb11u1 upload in Salsa:

https://salsa.debian.org/multimedia-team/kodi-media-center/kodi/-/tree/bullseye

fixing the CVE for bullseye-pu with the debdiff attached.

Vasyl


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/6 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru kodi-19.1+dfsg2/debian/changelog kodi-19.1+dfsg2/debian/changelog
--- kodi-19.1+dfsg2/debian/changelog	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/changelog	2021-11-04 09:17:25.000000000 +0000
@@ -1,3 +1,10 @@
+kodi (2:19.1+dfsg2-3~deb11u1) bullseye-updates; urgency=medium
+
+  * Branch out bullseye
+  * Fix buffer overflow in PLS playlists (Closes: CVE-2021-42917)
+
+ -- Vasyl Gello <vasek.gello@gmail.com>  Thu, 04 Nov 2021 09:17:25 +0000
+
 kodi (2:19.1+dfsg2-2) unstable; urgency=medium
 
   * Add runtime locale test and fallback (Closes: #989814)
diff -Nru kodi-19.1+dfsg2/debian/control kodi-19.1+dfsg2/debian/control
--- kodi-19.1+dfsg2/debian/control	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/control	2021-11-04 09:17:25.000000000 +0000
@@ -107,7 +107,7 @@
 Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi
-Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git -b bullseye
 Homepage: https://kodi.tv/
 
 Package: kodi
diff -Nru kodi-19.1+dfsg2/debian/gbp.conf kodi-19.1+dfsg2/debian/gbp.conf
--- kodi-19.1+dfsg2/debian/gbp.conf	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/gbp.conf	2021-11-04 09:17:25.000000000 +0000
@@ -3,3 +3,4 @@
 [DEFAULT]
 filter = */.git*
 components = ["libdate-tz-embedded", "libdvdnav-embedded", "libdvdread-embedded"]
+debian-branch = bullseye
diff -Nru kodi-19.1+dfsg2/debian/patches/series kodi-19.1+dfsg2/debian/patches/series
--- kodi-19.1+dfsg2/debian/patches/series	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/series	2021-11-04 09:17:25.000000000 +0000
@@ -42,3 +42,4 @@
 cdatetime-std-chrono/0002-Use-Debian-tzdata.patch
 cdatetime-std-chrono/0003-Reinstate-date-library-Makefile.patch
 cdatetime-std-chrono/0004-date-library-crash-fix.patch
+stable/CVE-2021-42917.patch
diff -Nru kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch
--- kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	1970-01-01 00:00:00.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	2021-11-04 09:17:25.000000000 +0000
@@ -0,0 +1,35 @@
+From 80c8138c09598e88b4ddb6dbb279fa193bbb3237 Mon Sep 17 00:00:00 2001
+From: fuzzard <fuzzard@kodi.tv>
+Date: Tue, 12 Oct 2021 17:38:30 +1000
+Subject: [PATCH] [Playlist] dont use istream directly to a tinyxml structure
+
+Turn istream into a std::string to handle large buffers (#20305)
+---
+ xbmc/playlists/PlayListPLS.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xbmc/playlists/PlayListPLS.cpp b/xbmc/playlists/PlayListPLS.cpp
+index bc62a1fe7ad5b..17d6e491d25b6 100644
+--- a/xbmc/playlists/PlayListPLS.cpp
++++ b/xbmc/playlists/PlayListPLS.cpp
+@@ -289,8 +289,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+   }
+   else
+   {
++    std::string asxstream(std::istreambuf_iterator<char>(stream), {});
+     CXBMCTinyXML xmlDoc;
+-    stream >> xmlDoc;
++    xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING);
+ 
+     if (xmlDoc.Error())
+     {
+@@ -300,6 +301,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+ 
+     TiXmlElement *pRootElement = xmlDoc.RootElement();
+ 
++    if (!pRootElement)
++      return false;
++
+     // lowercase every element
+     TiXmlNode *pNode = pRootElement;
+     TiXmlNode *pChild = NULL;

Reply to:

References:
- Bug#998419: kodi: CVE-2021-42917
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: Fixed upstream
Next by Date: Bug#998432: bullseye-pu: package kodi/19.3+dfsg1-1~deb11u1
Previous by thread: Processed: Re: Bug#998419: kodi: CVE-2021-42917
Next by thread: Processing of soundconverter_4.0.3-1_amd64.changes
Index(es):
- Date
- Thread