Bug#863476: unblock: kodi/2:17.1+dfsg1-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863476: unblock: kodi/2:17.1+dfsg1-3
From: Balint Reczey <balint.reczey@canonical.com>
Date: Sat, 27 May 2017 14:23:59 +0200
Message-id: <[🔎] CAG+KjmN_Sf7Wv7ZxjTW1SGFQoww+NanMmmBzO0XZbw3-cUG4Sw@mail.gmail.com>
Reply-to: Balint Reczey <balint.reczey@canonical.com>, 863476@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock the kodi update which fixes a security issue:

Changes:
 kodi (2:17.1+dfsg1-3) unstable; urgency=medium
 .
   * Fix zip file directory traversal vulnerability (CVE-2017-8314)
     (Closes: #863230)

Please find the debdiff attached.

Cheers,
Balint

-- 
Balint Reczey
Debian & Ubuntu Developer

diff -Nru kodi-17.1+dfsg1/debian/changelog kodi-17.1+dfsg1/debian/changelog
--- kodi-17.1+dfsg1/debian/changelog	2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/changelog	2017-05-27 02:49:58.000000000 +0200
@@ -1,3 +1,10 @@
+kodi (2:17.1+dfsg1-3) unstable; urgency=medium
+
+  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+    (Closes: #863230)
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Sat, 27 May 2017 00:50:34 +0200
+
 kodi (2:17.1+dfsg1-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,107 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <Rechi@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp          |  3 ++-
+ xbmc/filesystem/ZipManager.h            |  3 +++
+ xbmc/filesystem/test/CMakeLists.txt     |  3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+diff --git a/xbmc/filesystem/ZipManager.cpp b/xbmc/filesystem/ZipManager.cpp
+index df6220b..f2c6973 100644
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -199,7 +199,8 @@ bool CZipManager::GetZipList(const CURL& url, std::vector<SZipEntry>& items)
+     // Jump after central file header extra field and file comment
+     mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+ 
+-    items.push_back(ze);
++    if (!std::regex_search(strName, PATH_TRAVERSAL))
++      items.push_back(ze);
+   }
+ 
+   /* go through list and figure out file header lengths */
+diff --git a/xbmc/filesystem/ZipManager.h b/xbmc/filesystem/ZipManager.h
+index 551fe5d..93243b9 100644
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+ 
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+ 
+ class CURL;
+ 
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+   unsigned int header;
+   unsigned short version;
+diff --git a/xbmc/filesystem/test/CMakeLists.txt b/xbmc/filesystem/test/CMakeLists.txt
+index 5d77633..5be4e3d 100644
+--- a/xbmc/filesystem/test/CMakeLists.txt
++++ b/xbmc/filesystem/test/CMakeLists.txt
+@@ -2,6 +2,7 @@ set(SOURCES TestDirectory.cpp
+             TestFile.cpp
+             TestFileFactory.cpp
+             TestRarFile.cpp
+-            TestZipFile.cpp)
++            TestZipFile.cpp
++            TestZipManager.cpp)
+ 
+ core_add_test_library(filesystem_test)
+diff --git a/xbmc/filesystem/test/TestZipManager.cpp b/xbmc/filesystem/test/TestZipManager.cpp
+new file mode 100644
+index 0000000..b72dbb6
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ *      Copyright (C) 2017 Team XBMC
++ *      http://xbmc.org
++ *
++ *  This Program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; either version 2, or (at your option)
++ *  any later version.
++ *
++ *  This Program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with XBMC; see the file COPYING.  If not, see
++ *  <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++  ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++  ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
+-- 
+2.7.4
+
diff -Nru kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,23 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+   TestFileFactory.cpp \
+   TestNfsFile.cpp \
+   TestRarFile.cpp \
+-  TestZipFile.cpp
++  TestZipFile.cpp \
++  TestZipManager.cpp
+ 
+ LIB=filesystemTest.a
+ 
+--- a/xbmc/filesystem/test/TestZipManager.cpp
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -18,7 +18,7 @@
+  *
+  */
+ 
+-#include "filesystem/ZipManager.h"
++#include "xbmc/filesystem/ZipManager.h"
+ 
+ #include "gtest/gtest.h"
+ 
diff -Nru kodi-17.1+dfsg1/debian/patches/series kodi-17.1+dfsg1/debian/patches/series
--- kodi-17.1+dfsg1/debian/patches/series	2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/patches/series	2017-05-27 02:49:58.000000000 +0200
@@ -1,6 +1,7 @@
 0001-c-pluff-Fix-format-string-warnings.patch
 0003-Revert-droid-fix-builds-with-AML-disabled.patch
 0004-Allocate-and-free-AVFrames-with-the-proper-FFmpeg-AP.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
 01_reproducible_build.patch
 02_allow_all_arches.patch
 03-privacy.patch
@@ -15,6 +16,7 @@
 14-ignore-test-results.patch
 15-dont-use-openssl.patch
 16-fix-alpha-build.patch
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch
 libdvdnav-0001-xbmc-dvdnav-allow-get-set-vm-state.patch
 libdvdnav-0002-xbmc-dvdnav-expose-dvdnav_get_vm-dvdnav_get_button_i.patch
 libdvdnav-0003-xbmc-dvdnav-detection-of-dvd-name.patch

Reply to:

Follow-Ups:
- Bug#863476: marked as done (unblock: kodi/2:17.1+dfsg1-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#863473: unblock: openssl1.0/1.0.2l-1
Next by Date: Processed: Re: Bug#850440: jessie-pu: package w3m/0.5.3-19+deb8u2
Previous by thread: Bug#863473: unblock: openssl1.0/1.0.2l-1
Next by thread: Bug#863476: marked as done (unblock: kodi/2:17.1+dfsg1-3)
Index(es):
- Date
- Thread