Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619492 (CVE-2017-8314) - <media-tv/kodi-17.2: Arbitrary code execution (CVE-2017-8314)
Summary: <media-tv/kodi-17.2: Arbitrary code execution (CVE-2017-8314)
Status: RESOLVED FIXED
Alias: CVE-2017-8314
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-24 02:17 UTC by Michael Boyle
Modified: 2017-06-20 17:22 UTC (History)
2 users (show)

See Also:
Package list:
media-tv/kodi-17.2 media-libs/libjpeg-turbo-1.5.1 media-libs/taglib-1.11.1 media-fonts/noto-20160531 net-libs/shairplay-0_pre20170118 media-fonts/noto-cjk-20150615 dev-libs/libcec-4.0.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-24 02:17:08 UTC
Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-05-24 10:33:44 UTC
CC'ing proxy maintainer
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-05-24 10:37:06 UTC
CVE-2017-8314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8314):
  Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and
  earlier allows arbitrary file write on disk via a Zip file as subtitles.
Comment 3 Craig Andrews gentoo-dev 2017-05-24 14:12:49 UTC
I've already created a version 17.2 pull request: https://github.com/gentoo/gentoo/pull/4737
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-05-24 16:09:32 UTC
Thank you for the bump.

Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from 16.x to 17.x)?
Comment 5 Craig Andrews gentoo-dev 2017-05-24 17:06:22 UTC
(In reply to Thomas Deutschmann from comment #4)
> Thank you for the bump.
> 
> Is =media-tv/kodi-17.2 already ready for stabilization (i.e. the move from
> 16.x to 17.x)?

In my opinion, yes.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-05-24 19:47:51 UTC
@ Arches,

please test and mark stable: =media-tv/kodi-17.2
Comment 7 Stabilization helper bot gentoo-dev 2017-05-24 20:02:29 UTC
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['net-libs/shairplay', '>=dev-libs/libcec-4.0', '>=media-fonts/noto-20160531', '>=media-libs/taglib-1.11.1', '>=media-libs/libjpeg-turbo-1.5.1:=']
Comment 8 Stabilization helper bot gentoo-dev 2017-05-24 21:01:39 UTC
An automated check of this bug failed - repoman reported dependency errors (60 lines truncated): 

> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop) ['media-fonts/noto-cjk']
> dependency.bad media-fonts/noto/noto-20160531.ebuild: RDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['media-fonts/noto-cjk']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/libcec-4.0']
> dependency.bad media-tv/kodi/kodi-17.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-libs/libcec-4.0']
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-25 10:44:55 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-26 14:06:44 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Günter Merl 2017-05-29 08:27:02 UTC
don't use kodi 17.2 as stable, only a few hours after 17.2, the kodi team released 17.3 as an update
https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release

With 17.2, binary addons (e.g. PVR) are not working
Comment 12 Martin Cyr 2017-05-29 23:45:38 UTC
Until 17.3 gets officially stabilized, bumping 17.2 ebuild to 17.3 results in a successful build.
Comment 13 Craig Andrews gentoo-dev 2017-05-30 00:04:54 UTC
Here's the PR for 17.3: https://github.com/gentoo/gentoo/pull/4758#discussion_r118821286
Comment 14 Craig Andrews gentoo-dev 2017-06-01 19:07:29 UTC
Kodi 17.3 is now in the Portage tree.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-04 01:03:01 UTC
(In reply to candrews from comment #14)
> Kodi 17.3 is now in the Portage tree.

Are you ready to go ahead and stabilize it?
Comment 16 Craig Andrews gentoo-dev 2017-06-04 01:16:07 UTC
Yes. 17.2 had some problems (upstream made a mistake in the 17.2 release breaking addons, see https://kodi.tv/article/kodi-v173-minor-bug-fix-and-security-release if you're curious), so 17.3 makes sense to be our stable version.
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-06-06 16:34:21 UTC
The GLSA will cover 17.2 but cleanup will wait for bug 621054 so that only >=17.3 stays in repository.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:20:49 UTC
This issue was resolved and addressed in
 GLSA 201706-17 at https://security.gentoo.org/glsa/201706-17
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 19 Kristian Fiskerstrand gentoo-dev Security 2017-06-20 17:22:05 UTC
Cleanup of vulnerable versions are already done