Bug#999509: bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#999509: bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
From: Vasyl Gello <vasek.gello@gmail.com>
Date: Fri, 12 Nov 2021 06:32:25 +0000
Message-id: <[🔎] 163669874577.17103.13848555425430178946.reportbug@debian-development>
Reply-to: Vasyl Gello <vasek.gello@gmail.com>, 999509@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mattia@debian.org

[ Reason ]

Targeted fix for CVE-2021-42917

[ Impact ]

Users might experience a denial-of-service triggered remotely by loading
specially crafted PLS playlist.

[ Tests ]

Build + autopkgtest + manual test with reproducer from
https://github.com/xbmc/xbmc/issues/20305

[ Risks ]

Patch is trivial, so risk is greater from vulnerability itself rather than
from patch applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

One patch added to fix the vulnerability plus necessary
changes in d/control, d/gbp.conf and d/changelog to make
bullseye a separate branch

[ Other info ]

I would like to get this in bullseye so that I can decouple the 19.4 build in unstable
from the requirement to keep the older versions of embedded libdvdnav, dvdread. Also
keeping 19.4 compatible with bullseye prevents me from fixing other bugs involving
changes in binary package contents (and introducing new binary packages, too).

diff -Nru kodi-19.1+dfsg2/debian/changelog kodi-19.1+dfsg2/debian/changelog
--- kodi-19.1+dfsg2/debian/changelog	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/changelog	2021-11-04 09:17:25.000000000 +0000
@@ -1,3 +1,10 @@
+kodi (2:19.1+dfsg2-3~deb11u1) bullseye-updates; urgency=medium
+
+  * Branch out bullseye
+  * Fix buffer overflow in PLS playlists (Closes: CVE-2021-42917)
+
+ -- Vasyl Gello <vasek.gello@gmail.com>  Thu, 04 Nov 2021 09:17:25 +0000
+
 kodi (2:19.1+dfsg2-2) unstable; urgency=medium
 
   * Add runtime locale test and fallback (Closes: #989814)
diff -Nru kodi-19.1+dfsg2/debian/control kodi-19.1+dfsg2/debian/control
--- kodi-19.1+dfsg2/debian/control	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/control	2021-11-04 09:17:25.000000000 +0000
@@ -107,7 +107,7 @@
 Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi
-Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git -b bullseye
 Homepage: https://kodi.tv/
 
 Package: kodi
diff -Nru kodi-19.1+dfsg2/debian/gbp.conf kodi-19.1+dfsg2/debian/gbp.conf
--- kodi-19.1+dfsg2/debian/gbp.conf	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/gbp.conf	2021-11-04 09:17:25.000000000 +0000
@@ -3,3 +3,4 @@
 [DEFAULT]
 filter = */.git*
 components = ["libdate-tz-embedded", "libdvdnav-embedded", "libdvdread-embedded"]
+debian-branch = bullseye
diff -Nru kodi-19.1+dfsg2/debian/patches/series kodi-19.1+dfsg2/debian/patches/series
--- kodi-19.1+dfsg2/debian/patches/series	2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/series	2021-11-04 09:17:25.000000000 +0000
@@ -42,3 +42,4 @@
 cdatetime-std-chrono/0002-Use-Debian-tzdata.patch
 cdatetime-std-chrono/0003-Reinstate-date-library-Makefile.patch
 cdatetime-std-chrono/0004-date-library-crash-fix.patch
+stable/CVE-2021-42917.patch
diff -Nru kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch
--- kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	1970-01-01 00:00:00.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch	2021-11-04 09:17:25.000000000 +0000
@@ -0,0 +1,35 @@
+From 80c8138c09598e88b4ddb6dbb279fa193bbb3237 Mon Sep 17 00:00:00 2001
+From: fuzzard <fuzzard@kodi.tv>
+Date: Tue, 12 Oct 2021 17:38:30 +1000
+Subject: [PATCH] [Playlist] dont use istream directly to a tinyxml structure
+
+Turn istream into a std::string to handle large buffers (#20305)
+---
+ xbmc/playlists/PlayListPLS.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xbmc/playlists/PlayListPLS.cpp b/xbmc/playlists/PlayListPLS.cpp
+index bc62a1fe7ad5b..17d6e491d25b6 100644
+--- a/xbmc/playlists/PlayListPLS.cpp
++++ b/xbmc/playlists/PlayListPLS.cpp
+@@ -289,8 +289,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+   }
+   else
+   {
++    std::string asxstream(std::istreambuf_iterator<char>(stream), {});
+     CXBMCTinyXML xmlDoc;
+-    stream >> xmlDoc;
++    xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING);
+ 
+     if (xmlDoc.Error())
+     {
+@@ -300,6 +301,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+ 
+     TiXmlElement *pRootElement = xmlDoc.RootElement();
+ 
++    if (!pRootElement)
++      return false;
++
+     // lowercase every element
+     TiXmlNode *pNode = pRootElement;
+     TiXmlNode *pChild = NULL;

Reply to:

Follow-Ups:
- Bug#999509: bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#999509: bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#999509: kodi 19.1+dfsg2-2+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#999504: transition: liburing
Next by Date: Bug#998338: marked as done (transition: urdfdom)
Previous by thread: Processed: Re: Bug#999504: transition: liburing
Next by thread: Bug#999509: bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
Index(es):
- Date
- Thread