Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622384 - <media-tv/kodi-17.3-r1: Vulnerable to VMSF_DELTA Filter Signedness Error through embedded UnRAR version
Summary: <media-tv/kodi-17.3-r1: Vulnerable to VMSF_DELTA Filter Signedness Error thro...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 628232
Blocks: bundled-libs CVE-2012-6706
  Show dependency tree
 
Reported: 2017-06-21 12:10 UTC by Thomas Deutschmann
Modified: 2018-01-15 16:35 UTC (History)
3 users (show)

See Also:
Package list:
media-tv/kodi-17.3-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-06-21 12:10:51 UTC
See tracker bug 622380 URL for details.

media-tv/kodi-17.3 bundles an old UnRAR version in "xbmc-17.3-Krypton/lib/UnrarXLib" and is therefore suspected to be affected.
Comment 1 Craig Andrews gentoo-dev 2017-06-21 13:44:56 UTC
Reported upstream at https://github.com/notspiff/vfs.rar/issues/9 (which will be used in Kodi 18, which is not yet currently released) and on Kodi's IRC channel on freenode at #kodi-dev.
Comment 2 Craig Andrews gentoo-dev 2017-06-21 16:43:02 UTC
Reported upstream for Kodi 17.3 at https://trac.kodi.tv/ticket/17510
Comment 3 Craig Andrews gentoo-dev 2017-07-09 02:16:28 UTC
https://github.com/gentoo/gentoo/pull/4966
Comment 4 Craig Andrews gentoo-dev 2017-07-11 22:04:19 UTC
This issue has been resolved in -17.3-r1 so this issue can be resolved. With that said, imho -17.3-r1 should be marked stable because 17.3 is already stable and -r1 only adds this security fix.
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-07-11 22:28:56 UTC
Someone has to test... there could be a build error for example. Or did you test on amd64 and x86? Then we could do a maintainer stabilization...


@ Arches,

please test and mark stable: =media-tv/kodi-17.3-r1
Comment 6 Tobias Klausmann gentoo-dev 2017-07-15 09:58:42 UTC
Stable on alpha.
Comment 7 Tobias Klausmann gentoo-dev 2017-07-15 10:04:29 UTC
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 8 Craig Andrews gentoo-dev 2017-08-07 18:15:50 UTC
media-tv/kodi-17.3-r1 is still not keyworded x86 stable - can we please do something about that so this issue can be closed? :)
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-08-18 21:16:50 UTC
I run into a test failure (bug 628232) while trying to stabilize =media-tv/kodi-17.3-r1 on x86. Please tell me how to proceed.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-10-15 21:44:17 UTC
x86 marked stable, ignoring bug 629320 for the moment which isn't a regression and nothing which should block a B2.


@ Maintainer(s): Please cleanup and drop =media-tv/kodi-17.3!
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-10-18 14:59:46 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-22 00:25:27 UTC
This issue was resolved and addressed in
 GLSA 201710-21 at https://security.gentoo.org/glsa/201710-21
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-22 00:26:03 UTC
re-opened for cleanup.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-15 16:35:48 UTC
Tree is clean.