Bug#863476: marked as done (unblock: kodi/2:17.1+dfsg1-3)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#863476: marked as done (unblock: kodi/2:17.1+dfsg1-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 27 May 2017 19:57:09 +0000
Message-id: <[🔎] handler.863476.D863476.14959148671494.ackdone@bugs.debian.org>
References: <20170527195417.GA4539@ugent.be> <[🔎] CAG+KjmN_Sf7Wv7ZxjTW1SGFQoww+NanMmmBzO0XZbw3-cUG4Sw@mail.gmail.com>

Your message dated Sat, 27 May 2017 21:54:19 +0200
with message-id <20170527195417.GA4539@ugent.be>
and subject line Re: unblock: kodi/2:17.1+dfsg1-3
has caused the Debian Bug report #863476,
regarding unblock: kodi/2:17.1+dfsg1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863476
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: kodi/2:17.1+dfsg1-3
From: Balint Reczey <balint.reczey@canonical.com>
Date: Sat, 27 May 2017 14:23:59 +0200
Message-id: <[🔎] CAG+KjmN_Sf7Wv7ZxjTW1SGFQoww+NanMmmBzO0XZbw3-cUG4Sw@mail.gmail.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock the kodi update which fixes a security issue:

Changes:
 kodi (2:17.1+dfsg1-3) unstable; urgency=medium
 .
   * Fix zip file directory traversal vulnerability (CVE-2017-8314)
     (Closes: #863230)

Please find the debdiff attached.

Cheers,
Balint

-- 
Balint Reczey
Debian & Ubuntu Developer

diff -Nru kodi-17.1+dfsg1/debian/changelog kodi-17.1+dfsg1/debian/changelog
--- kodi-17.1+dfsg1/debian/changelog	2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/changelog	2017-05-27 02:49:58.000000000 +0200
@@ -1,3 +1,10 @@
+kodi (2:17.1+dfsg1-3) unstable; urgency=medium
+
+  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+    (Closes: #863230)
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Sat, 27 May 2017 00:50:34 +0200
+
 kodi (2:17.1+dfsg1-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,107 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <Rechi@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp          |  3 ++-
+ xbmc/filesystem/ZipManager.h            |  3 +++
+ xbmc/filesystem/test/CMakeLists.txt     |  3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+diff --git a/xbmc/filesystem/ZipManager.cpp b/xbmc/filesystem/ZipManager.cpp
+index df6220b..f2c6973 100644
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -199,7 +199,8 @@ bool CZipManager::GetZipList(const CURL& url, std::vector<SZipEntry>& items)
+     // Jump after central file header extra field and file comment
+     mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+ 
+-    items.push_back(ze);
++    if (!std::regex_search(strName, PATH_TRAVERSAL))
++      items.push_back(ze);
+   }
+ 
+   /* go through list and figure out file header lengths */
+diff --git a/xbmc/filesystem/ZipManager.h b/xbmc/filesystem/ZipManager.h
+index 551fe5d..93243b9 100644
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+ 
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+ 
+ class CURL;
+ 
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+   unsigned int header;
+   unsigned short version;
+diff --git a/xbmc/filesystem/test/CMakeLists.txt b/xbmc/filesystem/test/CMakeLists.txt
+index 5d77633..5be4e3d 100644
+--- a/xbmc/filesystem/test/CMakeLists.txt
++++ b/xbmc/filesystem/test/CMakeLists.txt
+@@ -2,6 +2,7 @@ set(SOURCES TestDirectory.cpp
+             TestFile.cpp
+             TestFileFactory.cpp
+             TestRarFile.cpp
+-            TestZipFile.cpp)
++            TestZipFile.cpp
++            TestZipManager.cpp)
+ 
+ core_add_test_library(filesystem_test)
+diff --git a/xbmc/filesystem/test/TestZipManager.cpp b/xbmc/filesystem/test/TestZipManager.cpp
+new file mode 100644
+index 0000000..b72dbb6
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ *      Copyright (C) 2017 Team XBMC
++ *      http://xbmc.org
++ *
++ *  This Program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; either version 2, or (at your option)
++ *  any later version.
++ *
++ *  This Program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with XBMC; see the file COPYING.  If not, see
++ *  <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++  ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++  ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
+-- 
+2.7.4
+
diff -Nru kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	1970-01-01 01:00:00.000000000 +0100
+++ kodi-17.1+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	2017-05-27 02:49:58.000000000 +0200
@@ -0,0 +1,23 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+   TestFileFactory.cpp \
+   TestNfsFile.cpp \
+   TestRarFile.cpp \
+-  TestZipFile.cpp
++  TestZipFile.cpp \
++  TestZipManager.cpp
+ 
+ LIB=filesystemTest.a
+ 
+--- a/xbmc/filesystem/test/TestZipManager.cpp
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -18,7 +18,7 @@
+  *
+  */
+ 
+-#include "filesystem/ZipManager.h"
++#include "xbmc/filesystem/ZipManager.h"
+ 
+ #include "gtest/gtest.h"
+ 
diff -Nru kodi-17.1+dfsg1/debian/patches/series kodi-17.1+dfsg1/debian/patches/series
--- kodi-17.1+dfsg1/debian/patches/series	2017-04-14 00:07:38.000000000 +0200
+++ kodi-17.1+dfsg1/debian/patches/series	2017-05-27 02:49:58.000000000 +0200
@@ -1,6 +1,7 @@
 0001-c-pluff-Fix-format-string-warnings.patch
 0003-Revert-droid-fix-builds-with-AML-disabled.patch
 0004-Allocate-and-free-AVFrames-with-the-proper-FFmpeg-AP.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
 01_reproducible_build.patch
 02_allow_all_arches.patch
 03-privacy.patch
@@ -15,6 +16,7 @@
 14-ignore-test-results.patch
 15-dont-use-openssl.patch
 16-fix-alpha-build.patch
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch
 libdvdnav-0001-xbmc-dvdnav-allow-get-set-vm-state.patch
 libdvdnav-0002-xbmc-dvdnav-expose-dvdnav_get_vm-dvdnav_get_button_i.patch
 libdvdnav-0003-xbmc-dvdnav-detection-of-dvd-name.patch

--- End Message ---

--- Begin Message ---

To: Balint Reczey <balint.reczey@canonical.com>

Cc: 863476-done@bugs.debian.org

Subject: Re: unblock: kodi/2:17.1+dfsg1-3

From: Ivo De Decker <ivodd@debian.org>

Date: Sat, 27 May 2017 21:54:19 +0200

Message-id: <20170527195417.GA4539@ugent.be>

In-reply-to: <[🔎] CAG+KjmN_Sf7Wv7ZxjTW1SGFQoww+NanMmmBzO0XZbw3-cUG4Sw@mail.gmail.com>

References: <[🔎] CAG+KjmN_Sf7Wv7ZxjTW1SGFQoww+NanMmmBzO0XZbw3-cUG4Sw@mail.gmail.com>
Hi,

On Sat, May 27, 2017 at 02:23:59PM +0200, Balint Reczey wrote:
> Please unblock the kodi update which fixes a security issue:

Unblocked by Niels.

Cheers,

Ivo
--- End Message ---

Reply to:

References:
- Bug#863476: unblock: kodi/2:17.1+dfsg1-3
  - From: Balint Reczey <balint.reczey@canonical.com>

Prev by Date: Bug#863494: marked as done (unblock: elfutils/0.168-1)
Next by Date: Bug#863486: marked as done (unblock: libgit2/0.25.1+really0.24.6-1)
Previous by thread: Bug#863476: unblock: kodi/2:17.1+dfsg1-3
Next by thread: Bug#858310: jessie-pu: package gtk+2.0/2.24.25-3+deb8u2
Index(es):
- Date
- Thread