Your message dated Sat, 18 Dec 2021 11:36:17 +0000
with message-id
<f35b13da0620aab462a587a3d6f06f29a527c6c9.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for changes included in 11.2
has caused the Debian Bug report #999509,
regarding bullseye-pu: package kodi/2:19.1+dfsg2-3~deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
999509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mat...@debian.org
[ Reason ]
Targeted fix for CVE-2021-42917
[ Impact ]
Users might experience a denial-of-service triggered remotely by loading
specially crafted PLS playlist.
[ Tests ]
Build + autopkgtest + manual test with reproducer from
https://github.com/xbmc/xbmc/issues/20305
[ Risks ]
Patch is trivial, so risk is greater from vulnerability itself rather than
from patch applied.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
One patch added to fix the vulnerability plus necessary
changes in d/control, d/gbp.conf and d/changelog to make
bullseye a separate branch
[ Other info ]
I would like to get this in bullseye so that I can decouple the 19.4 build in
unstable
from the requirement to keep the older versions of embedded libdvdnav, dvdread.
Also
keeping 19.4 compatible with bullseye prevents me from fixing other bugs
involving
changes in binary package contents (and introducing new binary packages, too).
diff -Nru kodi-19.1+dfsg2/debian/changelog kodi-19.1+dfsg2/debian/changelog
--- kodi-19.1+dfsg2/debian/changelog 2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/changelog 2021-11-04 09:17:25.000000000 +0000
@@ -1,3 +1,10 @@
+kodi (2:19.1+dfsg2-3~deb11u1) bullseye-updates; urgency=medium
+
+ * Branch out bullseye
+ * Fix buffer overflow in PLS playlists (Closes: CVE-2021-42917)
+
+ -- Vasyl Gello <vasek.ge...@gmail.com> Thu, 04 Nov 2021 09:17:25 +0000
+
kodi (2:19.1+dfsg2-2) unstable; urgency=medium
* Add runtime locale test and fallback (Closes: #989814)
diff -Nru kodi-19.1+dfsg2/debian/control kodi-19.1+dfsg2/debian/control
--- kodi-19.1+dfsg2/debian/control 2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/control 2021-11-04 09:17:25.000000000 +0000
@@ -107,7 +107,7 @@
Standards-Version: 4.5.1
Rules-Requires-Root: no
Vcs-Browser: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi
-Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/kodi-media-center/kodi.git
-b bullseye
Homepage: https://kodi.tv/
Package: kodi
diff -Nru kodi-19.1+dfsg2/debian/gbp.conf kodi-19.1+dfsg2/debian/gbp.conf
--- kodi-19.1+dfsg2/debian/gbp.conf 2021-06-24 20:44:30.000000000 +0000
+++ kodi-19.1+dfsg2/debian/gbp.conf 2021-11-04 09:17:25.000000000 +0000
@@ -3,3 +3,4 @@
[DEFAULT]
filter = */.git*
components = ["libdate-tz-embedded", "libdvdnav-embedded",
"libdvdread-embedded"]
+debian-branch = bullseye
diff -Nru kodi-19.1+dfsg2/debian/patches/series
kodi-19.1+dfsg2/debian/patches/series
--- kodi-19.1+dfsg2/debian/patches/series 2021-06-24 20:44:30.000000000
+0000
+++ kodi-19.1+dfsg2/debian/patches/series 2021-11-04 09:17:25.000000000
+0000
@@ -42,3 +42,4 @@
cdatetime-std-chrono/0002-Use-Debian-tzdata.patch
cdatetime-std-chrono/0003-Reinstate-date-library-Makefile.patch
cdatetime-std-chrono/0004-date-library-crash-fix.patch
+stable/CVE-2021-42917.patch
diff -Nru kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch
kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch
--- kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch 1970-01-01
00:00:00.000000000 +0000
+++ kodi-19.1+dfsg2/debian/patches/stable/CVE-2021-42917.patch 2021-11-04
09:17:25.000000000 +0000
@@ -0,0 +1,35 @@
+From 80c8138c09598e88b4ddb6dbb279fa193bbb3237 Mon Sep 17 00:00:00 2001
+From: fuzzard <fuzz...@kodi.tv>
+Date: Tue, 12 Oct 2021 17:38:30 +1000
+Subject: [PATCH] [Playlist] dont use istream directly to a tinyxml structure
+
+Turn istream into a std::string to handle large buffers (#20305)
+---
+ xbmc/playlists/PlayListPLS.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xbmc/playlists/PlayListPLS.cpp b/xbmc/playlists/PlayListPLS.cpp
+index bc62a1fe7ad5b..17d6e491d25b6 100644
+--- a/xbmc/playlists/PlayListPLS.cpp
++++ b/xbmc/playlists/PlayListPLS.cpp
+@@ -289,8 +289,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+ }
+ else
+ {
++ std::string asxstream(std::istreambuf_iterator<char>(stream), {});
+ CXBMCTinyXML xmlDoc;
+- stream >> xmlDoc;
++ xmlDoc.Parse(asxstream, TIXML_DEFAULT_ENCODING);
+
+ if (xmlDoc.Error())
+ {
+@@ -300,6 +301,9 @@ bool CPlayListASX::LoadData(std::istream& stream)
+
+ TiXmlElement *pRootElement = xmlDoc.RootElement();
+
++ if (!pRootElement)
++ return false;
++
+ // lowercase every element
+ TiXmlNode *pNode = pRootElement;
+ TiXmlNode *pChild = NULL;
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.2
Hi,
All of the updates referred to by these bugs were included in this
morning's bullseye point release.
Regards,
Adam
--- End Message ---
