Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: mat...@debian.org
[ Reason ] Targeted fix for CVE-2021-42917 [ Impact ] Users might experience a denial-of-service triggered remotely by loading specially crafted PLS playlist. [ Tests ] Build + autopkgtest + manual test with reproducer from https://github.com/xbmc/xbmc/issues/20305 [ Risks ] Patch is trivial, so risk is greater from vulnerability itself rather than from patch applied. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] One patch added to fix the vulnerability plus necessary changes in d/control, d/gbp.conf and d/changelog to make bullseye a separate branch [ Other info ] I would like to get this in bullseye so that I can decouple the 19.4 build in unstable from the requirement to keep the older versions of embedded libdvdnav, dvdread. Also keeping 19.4 compatible with bullseye prevents me from fixing other bugs involving changes in binary package contents (and introducing new binary packages, too).
diff -Nru kodi-19.1+dfsg2/debian/changelog kodi-19.1+dfsg2/debian/changelog --- kodi-19.1+dfsg2/debian/changelog 2021-06-24 20:44:30.000000000 +0000 +++ kodi-19.1+dfsg2/debian/changelog 2021-11-04 09:17:25.000000000 +0000 @@ -1,3 +1,10 @@ +kodi (2:19.1+dfsg2-3~deb11u1) bullseye-updates; urgency=medium + + * Branch out bullseye + * Fix buffer overflow in PLS playlists (Closes: CVE-2021-42917) + + -- Vasyl Gello <vasek.ge...@gmail.com> Thu, 04 Nov 2021 09:17:25 +0000 + kodi (2:19.1+dfsg2-2) unstable; urgency=medium * Add runtime locale test and fallback (Closes: #989814) diff -Nru kodi-19.1+dfsg2/debian/control kodi-19.1+dfsg2/debian/control --- kodi-19.1+dfsg2/debian/control 2021-06-24 20:44:30.000000000 +0000 +++ kodi-19.1+dfsg2/debian/control 2021-11-04 09:17:25.000000000 +0000 @@ -107,7 +107,7 @@ Standards-Version: 4.5.1 Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi -Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git +Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git -b bullseye Homepage: https://kodi.tv/ Package: kodi diff -Nru kodi-19.1+dfsg2/debian/gbp.conf kodi-19.1+dfsg2/debian/gbp.conf --- kodi-19.1+dfsg2/debian/gbp.conf 2021-06-24 20:44:30.000000000 +0000 +++ kodi-19.1+dfsg2/debian/gbp.conf 2021-11-04 09:17:25.000000000 +0000 @@ -3,3 +3,4 @@ [DEFAULT] filter = */.git* components = ["libdate-tz-embedded", "libdvdnav-embedded", "libdvdread-embedded"] +debian-branch = bullseye diff -Nru kodi-19.1+dfsg2/debian/patches/series kodi-19.1+dfsg2/debian/patches/series --- kodi-19.1+dfsg2/debian/patches/series 2021-06-24 20:44:30.000000000 +0000 +++ kodi-19.1+dfsg2/debian/patches/series 2021-11-04 09:17:25.000000000 +0000 @@ -42,3 +42,4 @@ cdatetime-std-chrono/0002-Use-Debian-tzdata.patch cdatetime-std-chrono/0003-Reinstate-date-library-Makefile.patch cdatetime-std-chrono/0004-date-library-crash-fix.patch +stable/CVE-2021-42917.patch diff -Nru kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch --- kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch 1970-01-01 00:00:00.000000000 +0000 +++ kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch 2021-11-04 09:17:25.000000000 +0000 @@ -0,0 +1,35 @@ +From 80c8138c09598e88b4ddb6dbb279fa193bbb3237 Mon Sep 17 00:00:00 2001 +From: fuzzard <fuzz...@kodi.tv> +Date: Tue, 12 Oct 2021 17:38:30 +1000 +Subject: [PATCH] [Playlist] dont use istream directly to a tinyxml structure + +Turn istream into a std::string to handle large buffers (#20305) +--- + xbmc/playlists/PlayListPLS.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/xbmc/playlists/PlayListPLS.cpp b/xbmc/playlists/PlayListPLS.cpp +index bc62a1fe7ad5b..17d6e491d25b6 100644 +--- a/xbmc/playlists/PlayListPLS.cpp ++++ b/xbmc/playlists/PlayListPLS.cpp +@@ -289,8 +289,9 @@ bool CPlayListASX::LoadData(std::istream& stream) + } + else + { ++ std::string asxstream(std::istreambuf_iterator<char>(stream), {}); + CXBMCTinyXML xmlDoc; +- stream >> xmlDoc; ++ xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING); + + if (xmlDoc.Error()) + { +@@ -300,6 +301,9 @@ bool CPlayListASX::LoadData(std::istream& stream) + + TiXmlElement *pRootElement = xmlDoc.RootElement(); + ++ if (!pRootElement) ++ return false; ++ + // lowercase every element + TiXmlNode *pNode = pRootElement; + TiXmlNode *pChild = NULL;
