CVE-2017-12940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12940): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function. CVE-2017-12941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12941): libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function. CVE-2017-12942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12942): libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function.
See tracker bug 628178 for more details.
Reported upstream at: https://github.com/notspiff/vfs.rar/issues/14 https://trac.kodi.tv/ticket/17575
From Upstream's response >Note that this vulnerability doesn't impact Kodi 18 (or later) because unrar has >been moved to an addon (that addon is impacted, issue reported at >https://github.com/notspiff/vfs.rar/issues/14 ) Gentoo Security Padawan ChrisADR
Whoa a year later and 18 is still pre-release.
@maintainer, please let us know when you are ready to stabilize >=18.0
@arches, please stabilize.
An automated check of this bug failed - repoman reported dependency errors (77 lines truncated): > dependency.bad media-tv/kodi/kodi-18.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-video/ffmpeg-4.0.3:=[encode,postproc]', 'media-video/ffmpeg[libressl,-openssl]', 'media-video/ffmpeg[-libressl,openssl]'] > dependency.bad media-tv/kodi/kodi-18.1.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-video/ffmpeg-4.0.3:=[encode,postproc]', 'media-video/ffmpeg[libressl,-openssl]', 'media-video/ffmpeg[-libressl,openssl]'] > dependency.bad media-tv/kodi/kodi-18.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-video/ffmpeg-4.0.3:=[encode,postproc]', 'media-video/ffmpeg[libressl,-openssl]', 'media-video/ffmpeg[-libressl,openssl]']
glsa-check --test all is not working properly ~ $ glsa-check --test all This system is not affected by any of the listed GLSAs My version of kodi is: media-tv/kodi-17.6-r11 glsa test is checking a bad version: https://security.gentoo.org/glsa/201710-21 Unaffected versions >= 17.3-r1 But this is not true because upstream said: https://trac.kodi.tv/ticket/17575 Resolution set to Won't be fixed/added Status changed from new to closed Kodi 17 is end of life. In v18 UnRAR isn't part of Kodi anymore. So please fix glsa checks to be >= 18.0
I think stabilization should continue now, since a month ago ffmpeg 4.1.3 was stabilized for x86, the last relevant Arch for kodi. Furthermore I would suggest to stabilize the latest version of kodi 18.3-r1.
GLSA Vote: No! Repository is clean, all done!
