diff -Nru kodi-15.2+dfsg1/debian/changelog kodi-15.2+dfsg1/debian/changelog
--- kodi-15.2+dfsg1/debian/changelog	2016-04-15 16:39:12.000000000 +0000
+++ kodi-15.2+dfsg1/debian/changelog	2017-05-31 18:38:44.000000000 +0000
@@ -1,3 +1,11 @@
+kodi (15.2+dfsg1-3ubuntu1.1) xenial-security; urgency=high
+
+  * Fix zip file directory traversal vulnerability (CVE-2017-8314)
+    (Closes: #863230, LP: #1694249)
+  * Add test for CVE-2017-8314 to autotools-based build
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Mon, 29 May 2017 16:58:26 +0200
+
 kodi (15.2+dfsg1-3ubuntu1) xenial; urgency=medium
 
   * Rebuild against libmysqlclient20.
diff -Nru kodi-15.2+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch kodi-15.2+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch
--- kodi-15.2+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	1970-01-01 00:00:00.000000000 +0000
+++ kodi-15.2+dfsg1/debian/patches/0005-filesystem-ZipManager-skip-path-traversal.patch	2017-05-31 18:38:29.000000000 +0000
@@ -0,0 +1,84 @@
+From 35cfe35608b15335ef21d798947fceab3f47c8d7 Mon Sep 17 00:00:00 2001
+From: Rechi <Rechi@users.noreply.github.com>
+Date: Wed, 10 May 2017 10:21:42 +0200
+Subject: [PATCH] [filesystem] ZipManager: skip path traversal
+
+---
+ xbmc/filesystem/ZipManager.cpp          |  3 ++-
+ xbmc/filesystem/ZipManager.h            |  3 +++
+ xbmc/filesystem/test/CMakeLists.txt     |  3 ++-
+ xbmc/filesystem/test/TestZipManager.cpp | 38 +++++++++++++++++++++++++++++++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 xbmc/filesystem/test/TestZipManager.cpp
+
+--- a/xbmc/filesystem/ZipManager.cpp
++++ b/xbmc/filesystem/ZipManager.cpp
+@@ -198,7 +198,8 @@
+     // Jump after central file header extra field and file comment
+     mFile.Seek(ze.eclength + ze.clength,SEEK_CUR);
+ 
+-    items.push_back(ze);
++    if (!std::regex_search(strName, PATH_TRAVERSAL))
++      items.push_back(ze);
+   }
+ 
+   /* go through list and figure out file header lengths */
+--- a/xbmc/filesystem/ZipManager.h
++++ b/xbmc/filesystem/ZipManager.h
+@@ -32,12 +32,15 @@
+ #define ECDREC_SIZE 22
+ 
+ #include <memory.h>
++#include <regex>
+ #include <string>
+ #include <vector>
+ #include <map>
+ 
+ class CURL;
+ 
++static const std::regex PATH_TRAVERSAL(R"_((^|\/|\\)\.{2}($|\/|\\))_");
++
+ struct SZipEntry {
+   unsigned int header;
+   unsigned short version;
+--- /dev/null
++++ b/xbmc/filesystem/test/TestZipManager.cpp
+@@ -0,0 +1,38 @@
++/*
++ *      Copyright (C) 2017 Team XBMC
++ *      http://xbmc.org
++ *
++ *  This Program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; either version 2, or (at your option)
++ *  any later version.
++ *
++ *  This Program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with XBMC; see the file COPYING.  If not, see
++ *  <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include "filesystem/ZipManager.h"
++
++#include "gtest/gtest.h"
++
++TEST(TestZipManager, PathTraversal)
++{
++  ASSERT_TRUE(std::regex_search("..", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("..\\test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test/../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\../test.txt", PATH_TRAVERSAL));
++  ASSERT_TRUE(std::regex_search("test\\..\\test.txt", PATH_TRAVERSAL));
++
++  ASSERT_FALSE(std::regex_search("...", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("..test.txt", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test.txt..", PATH_TRAVERSAL));
++  ASSERT_FALSE(std::regex_search("test..test.txt", PATH_TRAVERSAL));
++}
diff -Nru kodi-15.2+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch kodi-15.2+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch
--- kodi-15.2+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	1970-01-01 00:00:00.000000000 +0000
+++ kodi-15.2+dfsg1/debian/patches/17-add-test-for-CVE-2017-8314-with-autotools-build.patch	2017-05-31 18:38:29.000000000 +0000
@@ -0,0 +1,12 @@
+--- a/xbmc/filesystem/test/Makefile
++++ b/xbmc/filesystem/test/Makefile
+@@ -4,7 +4,8 @@
+   TestFileFactory.cpp \
+   TestNfsFile.cpp \
+   TestRarFile.cpp \
+-  TestZipFile.cpp
++  TestZipFile.cpp \
++  TestZipManager.cpp
+ 
+ LIB=filesystemTest.a
+ 
diff -Nru kodi-15.2+dfsg1/debian/patches/series kodi-15.2+dfsg1/debian/patches/series
--- kodi-15.2+dfsg1/debian/patches/series	2016-04-15 14:21:30.000000000 +0000
+++ kodi-15.2+dfsg1/debian/patches/series	2017-05-31 18:38:29.000000000 +0000
@@ -1,4 +1,5 @@
 0001-arm64-Fix-build-breakages-due-to-architecture-specif.patch
+0005-filesystem-ZipManager-skip-path-traversal.patch
 01_reproducible_build.patch
 02_allow_all_arches.patch
 03-privacy.patch
@@ -11,3 +12,4 @@
 10-dont-use-omitted-files.patch
 11-build-with-ffmpeg-2.9.patch
 std_isnan
+17-add-test-for-CVE-2017-8314-with-autotools-build.patch