SB2017062025 - Gentoo update for Kodi



SB2017062025 - Gentoo update for Kodi

Published: June 20, 2017 Updated: June 20, 2017

Security Bulletin ID SB2017062025
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Denial of service (CVE-ID: CVE-2015-3885)

CWE-ID: CWE-120 - Buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote unauthenticated user to cause DoS condition on the target system.
The weakness exists due to buffer overflow caused by processing of malformed XMP or RAW image and allowing attackers to trigger the affected service deny or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

2) Path traversal (CVE-ID: CVE-2017-8314)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote non-authenticated attacker to manipulate data.

Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles.


Remediation

Install update from vendor's website.