kodi: CVE-2021-42917

Debian Bug report logs - #998419
kodi: CVE-2021-42917

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kodi: CVE-2021-42917

Date: Wed, 03 Nov 2021 22:43:31 +0100

Source: kodi
Version: 2:19.3+dfsg1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/xbmc/xbmc/issues/20305
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for kodi.

CVE-2021-42917[0]:
| Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows
| attackers to cause a denial of service due to improper length of
| values passed to istream.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-42917
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42917
[1] https://github.com/xbmc/xbmc/issues/20305
[2] https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vasyl Gello <vasek.gello@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 998419@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#998419: kodi: CVE-2021-42917

Date: Wed, 03 Nov 2021 22:05:01 +0000

[Message part 1 (text/plain, inline)]

Control: fixed -1 2:19.3+dfsg1-1
Control: found -1 2:19.1+dfsg2-2~bpo10+1-1

Hi Salvatore!

This bug was fixed in 19.3 upstream, and the sid/bookworm version is not vulnerable.
I would like to upload 19.3 to stable-pu or stable-sec but the approval from SRM is pending for 19.2.

Is it possible to upload 2:19.3+dfsg1-1 to stable-sec as a whole package?
Or I have to apply the patch for 2:19.1+dfsg2-2 and upload -3?
-- 
Vasyl Gello
==================================================
Certified SolidWorks Expert

Mob.:+380 (98) 465 66 77

E-Mail: vasek.gello@gmail.com

Skype: vasek.gello
==================================================
호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다

3 листопада 2021 р. 21:43:31 UTC, Salvatore Bonaccorso <carnil@debian.org> написав(-ла):
>Source: kodi
>Version: 2:19.3+dfsg1-1
>Severity: important
>Tags: security upstream
>Forwarded: https://github.com/xbmc/xbmc/issues/20305
>X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
>Hi,
>
>The following vulnerability was published for kodi.
>
>CVE-2021-42917[0]:
>| Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows
>| attackers to cause a denial of service due to improper length of
>| values passed to istream.
>
>
>If you fix the vulnerability please also make sure to include the
>CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
>For further information see:
>
>[0] https://security-tracker.debian.org/tracker/CVE-2021-42917
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42917
>[1] https://github.com/xbmc/xbmc/issues/20305
>[2] https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237
>
>Please adjust the affected versions in the BTS as needed.
>
>Regards,
>Salvatore
>

[Message part 2 (text/html, inline)]

Message #24 received at 998419@bugs.debian.org (full text, mbox, reply):

From: Vasyl Gello <vasek.gello@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 998419@bugs.debian.org

Subject: Re: Bug#998419: kodi: CVE-2021-42917

Date: Wed, 03 Nov 2021 22:44:44 +0000

[Message part 1 (text/plain, inline)]

Control: found -1 2:17.1+dfsg1-3

Hi Salvatore,

And what should I do with stretch & buster? Patch is applicable to everything since 10.x: https://github.com/xbmc/xbmc/commit/45285e8a9300cd754a760560640b75b09f98035e
-- 
Vasyl Gello
==================================================
Certified SolidWorks Expert

Mob.:+380 (98) 465 66 77

E-Mail: vasek.gello@gmail.com

Skype: vasek.gello
==================================================
호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다

[Message part 2 (text/html, inline)]

Message #31 received at 998419@bugs.debian.org (full text, mbox, reply):

From: Vasyl Gello <vasek.gello@gmail.com>

To: 998419@bugs.debian.org

Subject: Re: Bug#998419: kodi: CVE-2021-42917

Date: Wed, 03 Nov 2021 22:55:20 +0000

[Message part 1 (text/plain, inline)]

Control: notfound -1 2:19.3+dfsg1-1
-- 
Vasyl Gello
==================================================
Certified SolidWorks Expert

Mob.:+380 (98) 465 66 77

E-Mail: vasek.gello@gmail.com

Skype: vasek.gello
==================================================
호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다

[Message part 2 (text/html, inline)]

Message #38 received at 998419@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vasyl Gello <vasek.gello@gmail.com>, 998419@bugs.debian.org

Subject: Re: Bug#998419: kodi: CVE-2021-42917

Date: Thu, 4 Nov 2021 06:44:08 +0100

Hi Vasyl,

On Wed, Nov 03, 2021 at 10:05:01PM +0000, Vasyl Gello wrote:
> Control: fixed -1 2:19.3+dfsg1-1
> Control: found -1 2:19.1+dfsg2-2~bpo10+1-1
> 
> Hi Salvatore!
> 
> This bug was fixed in 19.3 upstream, and the sid/bookworm version is not vulnerable.

Yes you are right, that was an error on my side, checking the source,
upstream commit and where the fix was included, thanks for correcting,
and apologies for the bad tracking at first. I double checked what
happened, and it was defintively that I got confused about the
inclusion from the upstream commit and not realizing it is in 19.3
already.

> I would like to upload 19.3 to stable-pu or stable-sec but the
> approval from SRM is pending for 19.2.
> 
> Is it possible to upload 2:19.3+dfsg1-1 to stable-sec as a whole package?
> Or I have to apply the patch for 2:19.1+dfsg2-2 and upload -3?

I'm not yet sure the issue would warrant a security update per se, but
the question can be answered for both DSA and update via a point
release: 2:19.3+dfsg1-1 could not enter directly bullseye. If you do a
rebase to the 19.3 upstream then this would be either a "rebuild"
approach 2:19.3+dfsg1-1~deb11u1 (if no other changes to packaging to
be done) or if you import 19.3 on top of the current bullseye
packaging because there were other changes not suitable in meanwhile,
then 2:19.3+dfsg1-0+deb11u1 to have it sorting before 2:19.3+dfsg1-1.

The general strategy is to cherry-pick commits, but as you know there
are some sources with exceptions to that rule for stable updates,
firefox, linux, mariadb, php, ffmpeg are such cases, and they have
some guarantee from CI and testsuies, promises about stabilities
(e.g. no new features, bugfix only branches, etc ...).

If you are discussing this already with SRM then this is indeed the
way to go to see if they agree on your proposal to follow the 19.x
series for kodi for bullseye.

Samewise for buster, by cherry-picking the fix, be it for an upcoming
point release or a DSA.

I cannot answer the question for stretch directly, but I see that LTS
will would like to issue a DLA for it.

Regards,
Salvatore

Message #43 received at 998419@bugs.debian.org (full text, mbox, reply):

From: Vasyl Gello <vasek.gello@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 998419@bugs.debian.org

Subject: Re: Bug#998419: kodi: CVE-2021-42917

Date: Thu, 04 Nov 2021 08:50:04 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore!
 
>> This bug was fixed in 19.3 upstream, and the sid/bookworm version is not vulnerable.
>
>Yes you are right, that was an error on my side, checking the source,
>upstream commit and where the fix was included, thanks for correcting,
>and apologies for the bad tracking at first. I double checked what
>happened, and it was defintively that I got confused about the
>inclusion from the upstream commit and not realizing it is in 19.3
>already.

No worries! I knew about this bug and patch because I am a Kodi team
member and I did an assessment of that issue. I am still learning the art
of interaction with Debian BTS though :)

>I'm not yet sure the issue would warrant a security update per se, but
>the question can be answered for both DSA and update via a point
>release: 2:19.3+dfsg1-1 could not enter directly bullseye. If you do a
>rebase to the 19.3 upstream then this would be either a "rebuild"
>approach 2:19.3+dfsg1-1~deb11u1 (if no other changes to packaging to
>be done) or if you import 19.3 on top of the current bullseye
>packaging because there were other changes not suitable in meanwhile,
>then 2:19.3+dfsg1-0+deb11u1 to have it sorting before 2:19.3+dfsg1-1.

Right now 2:19.3+dfsg1-0+deb11u1 can be rebuilt from 2:19.3+dfsg1-1
with no changes (i.e only d/changelog entry). Because off #995823,
I do keep component tarballs from bullseye release to keep debdiff
as clean as possible.

>If you are discussing this already with SRM then this is indeed the
>way to go to see if they agree on your proposal to follow the 19.x
>series for kodi for bullseye.

I really hope Adam will resolve this issue soon. But even SRMs are
uncomfortable with Kodi series in stable, I have already prepared
2:19.1+dfsg2-3 with a cherry-picked fix. I Cc'ed you in that bug, too.
-- 
Vasyl Gello
==================================================
Certified SolidWorks Expert

Mob.:+380 (98) 465 66 77

E-Mail: vasek.gello@gmail.com

Skype: vasek.gello
==================================================
호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.