Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 619492 (CVE-2017-8314)

Summary: <media-tv/kodi-17.2: Arbitrary code execution (CVE-2017-8314)
Product: Gentoo Security Reporter: Michael Boyle <boylemic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: candrews, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=621054
Whiteboard: B2 [glsa cve]
Package list:
media-tv/kodi-17.2 media-libs/libjpeg-turbo-1.5.1 media-libs/taglib-1.11.1 media-fonts/noto-20160531 net-libs/shairplay-0_pre20170118 media-fonts/noto-cjk-20150615 dev-libs/libcec-4.0.2
 Runtime testing required: ---

Description Michael Boyle 2017-05-24 02:17:08 UTC 
Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 10:33:44 UTC 
CC'ing proxy maintainer
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-05-24 10:37:06 UTC 
CVE-2017-8314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8314):
  Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and
  earlier allows arbitrary file write on disk via a Zip file as subtitles.
Comment 3 Craig Andrews gentoo-dev 2017-05-24 14:12:49 UTC 
I've already created a version 17.2 pull request: https://github.com/gentoo/gentoo/pull/4737
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 16:09:32 UTC 
Thank you for the bump.

Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from 16.x to 17.x)?
Comment 5 Craig Andrews gentoo-dev 2017-05-24 17:06:22 UTC 
(In reply to Thomas Deutschmann from comment #4)
> Thank you for the bump.
> 
> Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from
> 16.x to 17.x)?

In my opinion, yes.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 19:47:51 UTC 
@ Arches,

please test and mark stable: =media-tv/kodi-17.2
Comment 7 Stabilization helper bot gentoo-dev 2017-05-24 20:02:29 UTC 
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
Comment 8 Stabilization helper bot gentoo-dev 2017-05-24 21:01:39 UTC 
An automated check of this bug failed - repoman reported dependency errors (60 lines truncated): 

> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['media-fonts/noto-cjk']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libcec-4.0']
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-25 10:44:55 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-26 14:06:44 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Günter Merl 2017-05-29 08:27:02 UTC 
don't use kodi 17.2 as stable, only a few hours after 17.2, the kodi team released 17.3 as an update
https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release

With 17.2, binary addons (e.g. PVR) are not working
Comment 12 Martin Cyr 2017-05-29 23:45:38 UTC 
Until 17.3 gets officially stabilized, bumping 17.2 ebuild to 17.3 results in a successful build.
Comment 13 Craig Andrews gentoo-dev 2017-05-30 00:04:54 UTC 
Here's the PR for 17.3: https://github.com/gentoo/gentoo/pull/4758#discussion_r118821286
Comment 14 Craig Andrews gentoo-dev 2017-06-01 19:07:29 UTC 
Kodi 17.3 is now in the Portage tree.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2017-06-04 01:03:01 UTC 
(In reply to candrews from comment #14)
> Kodi 17.3 is now in the Portage tree.

Are you ready to go ahead and stabilize it?
Comment 16 Craig Andrews gentoo-dev 2017-06-04 01:16:07 UTC 
Yes. 17.2 had some problems (upstream made a mistake in the 17.2 release breaking addons, see https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release if you're curious), so 17.3 makes sense to be our stable version.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-06 16:34:21 UTC 
The GLSA will cover 17.2 but cleanup will wait for bug 621054 so that only >=17.3 stays in repository.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:20:49 UTC 
This issue was resolved and addressed in
 GLSA 201706-17 at https://security.gentoo.org/glsa/201706-17
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 19 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-20 17:22:05 UTC 
Cleanup of vulnerable versions are already done