Summary: | <media-tv/kodi-17.2: Arbitrary code execution (CVE-2017-8314) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Boyle <boylemic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | candrews, proxy-maint |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=621054 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
media-tv/kodi-17.2
media-libs/libjpeg-turbo-1.5.1
media-libs/taglib-1.11.1
media-fonts/noto-20160531
net-libs/shairplay-0_pre20170118
media-fonts/noto-cjk-20150615
dev-libs/libcec-4.0.2
|
Runtime testing required: | --- |
Description
Michael Boyle
2017-05-24 02:17:08 UTC
CC'ing proxy maintainer CVE-2017-8314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8314): Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles. I've already created a version 17.2 pull request: https://github.com/gentoo/gentoo/pull/4737 Thank you for the bump. Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from 16.x to 17.x)? (In reply to Thomas Deutschmann from comment #4) > Thank you for the bump. > > Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from > 16.x to 17.x)? In my opinion, yes. @ Arches, please test and mark stable: =media-tv/kodi-17.2 An automated check of this bug failed - repoman reported dependency errors (41 lines truncated):
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
An automated check of this bug failed - repoman reported dependency errors (60 lines truncated):
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['media-fonts/noto-cjk']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libcec-4.0']
amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. don't use kodi 17.2 as stable, only a few hours after 17.2, the kodi team released 17.3 as an update https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release With 17.2, binary addons (e.g. PVR) are not working Until 17.3 gets officially stabilized, bumping 17.2 ebuild to 17.3 results in a successful build. Here's the PR for 17.3: https://github.com/gentoo/gentoo/pull/4758#discussion_r118821286 Kodi 17.3 is now in the Portage tree. (In reply to candrews from comment #14) > Kodi 17.3 is now in the Portage tree. Are you ready to go ahead and stabilize it? Yes. 17.2 had some problems (upstream made a mistake in the 17.2 release breaking addons, see https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release if you're curious), so 17.3 makes sense to be our stable version. The GLSA will cover 17.2 but cleanup will wait for bug 621054 so that only >=17.3 stays in repository. This issue was resolved and addressed in GLSA 201706-17 at https://security.gentoo.org/glsa/201706-17 by GLSA coordinator Kristian Fiskerstrand (K_F). Cleanup of vulnerable versions are already done |