Bug#863476: unblock: kodi/2:17.1+dfsg1-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock the kodi update which fixes a security issue:
Changes:
kodi (2:17.1+dfsg1-3) unstable; urgency=medium
.
* Fix zip file directory traversal vulnerability (CVE-2017-8314)
(Closes: #863230)
Please find the debdiff attached.
Cheers,
Balint
--
Balint Reczey
Debian & Ubuntu Developer
diff -Nru kodi-17.1+dfsg1/debian/changelog kodi-17.1+dfsg1/debian/changelog
--- kodi-17.1+dfsg1/debian/changelog 2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/changelog 2017-05-27 02:49:58.000000000 +0200
@@ -1,3 +1,10 @@
+kodi (2:17.1+dfsg1-3) unstable; urgency=medium
+
+ * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+ (Closes: #863230)
+
+ -- Balint Reczey <rbalint@ubuntu.com> Sat, 27 May 2017 00:50:34 +0200
+
kodi (2:17.1+dfsg1-2) unstable; urgency=medium
* Upload to unstable
diff -Nru kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch 2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,107 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <Rechi@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp | 3 ++-
+ xbmc/filesystem/ZipManager.h | 3 +++
+ xbmc/filesystem/test/CMakeLists.txt | 3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+diff --git a/xbmc/filesystem/ZipManager.cpp b/xbmc/filesystem/ZipManager.cpp
+index df6220b..f2c6973 100644
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -199,7 +199,8 @@ bool CZipManager::GetZipList(const CURL& url, std::vector<SZipEntry>& items)
+ // Jump after central file header extra field and file comment
+ mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+
+- items.push_back(ze);
++ if (!std::regex_search(strName, PATH_TRAVERSAL))
++ items.push_back(ze);
+ }
+
+ /* go through list and figure out file header lengths */
+diff --git a/xbmc/filesystem/ZipManager.h b/xbmc/filesystem/ZipManager.h
+index 551fe5d..93243b9 100644
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+
+ class CURL;
+
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+ unsigned int header;
+ unsigned short version;
+diff --git a/xbmc/filesystem/test/CMakeLists.txt b/xbmc/filesystem/test/CMakeLists.txt
+index 5d77633..5be4e3d 100644
+--- a/xbmc/filesystem/test/CMakeLists.txt
++++ b/xbmc/filesystem/test/CMakeLists.txt
+@@ -2,6 +2,7 @@ set(SOURCES TestDirectory.cpp
+ TestFile.cpp
+ TestFileFactory.cpp
+ TestRarFile.cpp
+- TestZipFile.cpp)
++ TestZipFile.cpp
++ TestZipManager.cpp)
+
+ core_add_test_library(filesystem_test)
+diff --git a/xbmc/filesystem/test/TestZipManager.cpp b/xbmc/filesystem/test/TestZipManager.cpp
+new file mode 100644
+index 0000000..b72dbb6
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (C) 2017 Team XBMC
++ * http://xbmc.org
++ *
++ * This Program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2, or (at your option)
++ * any later version.
++ *
++ * This Program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with XBMC; see the file COPYING. If not, see
++ * <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++ ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++ ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++ ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++ ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
+--
+2.7.4
+
diff -Nru kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch 2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,23 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+ TestFileFactory.cpp \
+ TestNfsFile.cpp \
+ TestRarFile.cpp \
+- TestZipFile.cpp
++ TestZipFile.cpp \
++ TestZipManager.cpp
+
+ LIB=filesystemTest.a
+
+--- a/xbmc/filesystem/test/TestZipManager.cpp
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -18,7 +18,7 @@
+ *
+ */
+
+-#include "filesystem/ZipManager.h"
++#include "xbmc/filesystem/ZipManager.h"
+
+ #include "gtest/gtest.h"
+
diff -Nru kodi-17.1+dfsg1/debian/patches/series kodi-17.1+dfsg1/debian/patches/series
--- kodi-17.1+dfsg1/debian/patches/series 2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/patches/series 2017-05-27 02:49:58.000000000 +0200
@@ -1,6 +1,7 @@
0001-c-pluff-Fix-format-string-warnings.patch
0003-Revert-droid-fix-builds-with-AML-disabled.patch
0004-Allocate-and-free-AVFrames-with-the-proper-FFmpeg-AP.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
01_reproducible_build.patch
02_allow_all_arches.patch
03-privacy.patch
@@ -15,6 +16,7 @@
14-ignore-test-results.patch
15-dont-use-openssl.patch
16-fix-alpha-build.patch
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch
libdvdnav-0001-xbmc-dvdnav-allow-get-set-vm-state.patch
libdvdnav-0002-xbmc-dvdnav-expose-dvdnav_get_vm-dvdnav_get_button_i.patch
libdvdnav-0003-xbmc-dvdnav-detection-of-dvd-name.patch
Reply to: