[Bug 1694249] [NEW] CVE-2017-8314: malicious subtitle zip files vulnerability

Launchpad Bug Tracker 1694249 at bugs.launchpad.net
Mon May 29 20:38:23 UTC 2017


You have been subscribed to a public bug by Ubuntu Foundations Team Bug Bot (crichton):


[Impact]
 * A specially crafted zip file, for example a zipped subtitle, can overwrite arbitrary files by traversing parent directories
 * This bug can be triggered remotely by tricking the user into opening a crafted subtitle thus I believe fixing it would be important

[Test Case]
 * Download https://people.debian.org/~rbalint/reproducers/check-kodi-CVE-2017-8314.zip
 * Start playing a video file
 * Try loading the subtitle from check-kodi-CVE-2017-8314.zip following the ".." directory inside the zip
 * If you can't open the zip file and load the ../*.srt file inside the zip file your Kodi installation is fixed. Fixed 17.1 does not even list the zip file when browsing for subtitles.

[Regression Potential]
 * Kodi may fail to load valid zip files
 * You can verify that a harmless subtitle can still be loaded by testing it with https://people.debian.org/~rbalint/reproducers/harmless-subtitle.zip
 * New build-time tests are added which check potential regressions

[Other Info]
 * From the Debian bug:

 * Kodi 17.2 have an important fix for the malicious subtitles
   vulnerability that has the potential to compromise your machine. It is
   important to update to this version as soon as possible.
   http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

** Affects: kodi (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: kodi (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: patch security
-- 
CVE-2017-8314: malicious subtitle zip files vulnerability
https://bugs.launchpad.net/bugs/1694249
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.



More information about the Ubuntu-sponsors mailing list