Ubuntu
kodi package

CVE-2017-8314: malicious subtitle zip files vulnerability

Bug #1694249 reported by Balint Reczey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kodi (Debian)
Fix Released
Unknown
kodi (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
 * A specially crafted zip file, for example a zipped subtitle, can overwrite arbitrary files by traversing parent directories
 * This bug can be triggered remotely by tricking the user into opening a crafted subtitle thus I believe fixing it would be important

[Test Case]
 * Download https://people.debian.org/~rbalint/reproducers/check-kodi-CVE-2017-8314.zip
 * Start playing a video file
 * Try loading the subtitle from check-kodi-CVE-2017-8314.zip following the ".." directory inside the zip
 * If you can't open the zip file and load the ../*.srt file inside the zip file your Kodi installation is fixed. Fixed 17.1 does not even list the zip file when browsing for subtitles.

[Regression Potential]
 * Kodi may fail to load valid zip files
 * You can verify that a harmless subtitle can still be loaded by testing it with https://people.debian.org/~rbalint/reproducers/harmless-subtitle.zip
 * New build-time tests are added which check potential regressions

[Other Info]
 * From the Debian bug:

 * Kodi 17.2 have an important fix for the malicious subtitles
   vulnerability that has the potential to compromise your machine. It is
   important to update to this version as soon as possible.
   http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

Tags: patch security

CVE References

Revision history for this message
Balint Reczey (rbalint) wrote :
Revision history for this message
Balint Reczey (rbalint) wrote :
Revision history for this message
Balint Reczey (rbalint) wrote :
Revision history for this message
Balint Reczey (rbalint) wrote :

I have uploaded the fixed packages to this PPA:
https://launchpad.net/~rbalint/+archive/ubuntu/kodi-sru

Revision history for this message
Balint Reczey (rbalint) wrote :

I have verified the Xenial fix with the package in the ppa (15.2+dfsg1-3ubuntu1.1), the Yakkety fix on jessie with the version proposed for jessie-backports ( https://lists.debian.org/debian-backports/2017/05/msg00274.html 16.1+dfsg1-2~bpo8+2) and the Zesty fix with Debian's 2:17.1+dfsg1-3.

Bug Watch Updater (bug-watch-updater)
Changed in kodi (Debian):
status: Unknown → Fix Released
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "zesty patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Unsubscribing ubuntu-sponsors and subscribing ubuntu-security-sponsors, as detailed here:

  https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

Changed in kodi (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Local builds of kodi on my machine made me curious:

- The deb comparison tool we use didn't show new symbols in the xenial version even though they were shown in the yakkety and zesty versions
- The new symbols shown in the yakkety and zesty versions make me suspicious that the packages are requiring more symbols than they did before these changes.

Neither of the above actually make sense to me since the patches seem straightforward enough.

So I've put the packages in the security-proposed PPA -- https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa -- and would appreciate feedback from someone if these work or not before releasing them further.

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kodi - 2:17.1+dfsg1-1ubuntu0.1

---------------
kodi (2:17.1+dfsg1-1ubuntu0.1) zesty-security; urgency=high

  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
    (Closes: #863230, LP: #1694249)
  * Add test for CVE-2017-8314 to autotools-based build

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 13:44:32 +0200

Changed in kodi (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kodi - 16.1+dfsg1-2ubuntu0.1

---------------
kodi (16.1+dfsg1-2ubuntu0.1) yakkety-security; urgency=high

  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
    (Closes: #863230, LP: #1694249)
  * Add test for CVE-2017-8314 to autotools-based build

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 16:39:03 +0200

Changed in kodi (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kodi - 15.2+dfsg1-3ubuntu1.1

---------------
kodi (15.2+dfsg1-3ubuntu1.1) xenial-security; urgency=high

  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
    (Closes: #863230, LP: #1694249)
  * Add test for CVE-2017-8314 to autotools-based build

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 16:58:26 +0200

Changed in kodi (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Balint!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.