SB2017062025 - Gentoo update for Kodi
Published: June 20, 2017 Updated: June 20, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Denial of service (CVE-ID: CVE-2015-3885)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote unauthenticated user to cause DoS condition on the target system.
The weakness exists due to buffer overflow caused by processing of malformed XMP or RAW image and allowing attackers to trigger the affected service deny or execute arbitrary code.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
2) Path traversal (CVE-ID: CVE-2017-8314)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles.
Remediation
Install update from vendor's website.