[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#999509: marked as done (bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1)

Your message dated Sat, 18 Dec 2021 11:36:17 +0000
with message-id <f35b13da0620aab462a587a3d6f06f29a527c6c9.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for changes included in 11.2
has caused the Debian Bug report #999509,
regarding bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
999509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999509
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mattia@debian.org

[ Reason ]

Targeted fix for CVE-2021-42917

[ Impact ]

Users might experience a denial-of-service triggered remotely by loading
specially crafted PLS playlist.

[ Tests ]

Build + autopkgtest + manual test with reproducer from
https://github.com/xbmc/xbmc/issues/20305

[ Risks ]

Patch is trivial, so risk is greater from vulnerability itself rather than
from patch applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

One patch added to fix the vulnerability plus necessary
changes in d/control, d/gbp.conf and d/changelog to make
bullseye a separate branch

[ Other info ]

I would like to get this in bullseye so that I can decouple the 19.4 build in unstable
from the requirement to keep the older versions of embedded libdvdnav, dvdread. Also
keeping 19.4 compatible with bullseye prevents me from fixing other bugs involving
changes in binary package contents (and introducing new binary packages, too).

diff -Nru kodi-19.1+dfsg2/debian/changelog kodi-19.1+dfsg2/debian/changelog
--- kodi-19.1+dfsg2/debian/changelog	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/changelog	2021-11-04 09:17:25.000000000 +0000
@@ -1,3 +1,10 @@
+kodi (2:19.1+dfsg2-3~deb11u1) bullseye-updates; urgency=medium
+
+  * Branch out bullseye
+  * Fix buffer overflow in PLS playlists (Closes: CVE-2021-42917)
+
+ -- Vasyl Gello <vasek.gello@gmail.com>  Thu, 04 Nov 2021 09:17:25 +0000
+
 kodi (2:19.1+dfsg2-2) unstable; urgency=medium
 
   * Add runtime locale test and fallback (Closes: #989814)
diff -Nru kodi-19.1+dfsg2/debian/control kodi-19.1+dfsg2/debian/control
--- kodi-19.1+dfsg2/debian/control	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/control	2021-11-04 09:17:25.000000000 +0000
@@ -107,7 +107,7 @@
 Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi
-Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git -b bullseye
 Homepage: https://kodi.tv/
 
 Package: kodi
diff -Nru kodi-19.1+dfsg2/debian/gbp.conf kodi-19.1+dfsg2/debian/gbp.conf
--- kodi-19.1+dfsg2/debian/gbp.conf	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/gbp.conf	2021-11-04 09:17:25.000000000 +0000
@@ -3,3 +3,4 @@
 [DEFAULT]
 filter = */.git*
 components = ["libdate-tz-embedded", "libdvdnav-embedded", "libdvdread-embedded"]
+debian-branch = bullseye
diff -Nru kodi-19.1+dfsg2/debian/patches/series kodi-19.1+dfsg2/debian/patches/series
--- kodi-19.1+dfsg2/debian/patches/series	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/series	2021-11-04 09:17:25.000000000 +0000
@@ -42,3 +42,4 @@
 cdatetime-std-chrono/0002-Use-Debian-tzdata.patch
 cdatetime-std-chrono/0003-Reinstate-date-library-Makefile.patch
 cdatetime-std-chrono/0004-date-library-crash-fix.patch
+stable/CVE-2021-42917.patch
diff -Nru kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch
--- kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	1970-01-01 00:00:00.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	2021-11-04 09:17:25.000000000 +0000
@@ -0,0 +1,35 @@
+From 80c8138c09598e88b4ddb6dbb279fa193bbb3237 Mon Sep 17 00:00:00 2001
+From: fuzzard <fuzzard@kodi.tv>
+Date: Tue, 12 Oct 2021 17:38:30 +1000
+Subject: [PATCH] [Playlist] dont use istream directly to a tinyxml structure
+
+Turn istream into a std::string to handle large buffers (#20305)
+---
+ xbmc/playlists/PlayListPLS.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xbmc/playlists/PlayListPLS.cpp b/xbmc/playlists/PlayListPLS.cpp
+index bc62a1fe7ad5b..17d6e491d25b6 100644
+--- a/xbmc/playlists/PlayListPLS.cpp
++++ b/xbmc/playlists/PlayListPLS.cpp
+@@ -289,8 +289,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+   }
+   else
+   {
++    std::string asxstream(std::istreambuf_iterator<char>(stream), {});
+     CXBMCTinyXML xmlDoc;
+-    stream >> xmlDoc;
++    xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING);
+ 
+     if (xmlDoc.Error())
+     {
+@@ -300,6 +301,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+ 
+     TiXmlElement *pRootElement = xmlDoc.RootElement();
+ 
++    if (!pRootElement)
++      return false;
++
+     // lowercase every element
+     TiXmlNode *pNode = pRootElement;
+     TiXmlNode *pChild = NULL;

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.2

Hi,

All of the updates referred to by these bugs were included in this
morning's bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: