Kodi's urllib3 might be vulnerable to CVE-2021-33503

[dotlambda]

The version is called 1.26.4+matrix.1. That seems to be older than 1.26.5 which is the first version with a fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503.
Can't we use python3Packages.urllib3?
cc @aanderse @cpages @edwtjo @minijackson @peterhoeg @sephalon

[aanderse]

Would be nice if we could push issues like this upstream and have them fix it. Our tooling is nice and all we would have to do is backport the bump that our bot automatically creates.

Any idea if upstream has addressed this? I can probably look later tonight when I'm at a computer.

[dotlambda]

That's the problem with such tooling. You only get security updates after upstream notices them, if ever. Thus at least one more indirection.

[aanderse]

That's the problem with such tooling. You only get security updates after upstream notices them, if ever.

I guess I'm just spoiled by our (nixpkgs) tooling because all this comment made me think is that upstream could really benefit from using this type of tooling too 😉

[dotlambda]

Is there a way to override specific plugins?
There wouldn't be much to maintain if you just use python3Packages.urllib3.

[aanderse]

Straight python libs generally won't work as kodi packaging does a little wrapping. Certainly we could replicate this... but that would come at a bit of a maintenance cost too.

[dotlambda]

We'll have to do either that or update upstream asap.

[aanderse]

I'm out for the day and my android phone can't read .xz files so I can't check if upstream has fixed this or not.

Manually running the update script would let us know... if you have the capacity.

[dotlambda]

Manually running the update script would let us know... if you have the capacity.

How do I run it?
EDIT: nix-shell maintainers/scripts/update.nix --argstr package kodiPlugins.urllib3

[dotlambda]

$ nix-shell maintainers/scripts/update.nix --argstr package kodiPlugins.urllib3

Going to be running update for following packages:
 - kodi-urllib3-1.26.4+matrix.1

Press Enter key to continue...

Running update for:
 - kodi-urllib3-1.26.4+matrix.1: UPDATING ...
 - kodi-urllib3-1.26.4+matrix.1: DONE.

Packages updated!

Doesn't change anything.

[dotlambda]

Where are these add-ons maintained upstream?

[aanderse]

Looks like here. It seems like kodi developers pull upstream code right into their tree and then make a few minor additions for packaging as seen here.