Open pannal opened 7 years ago
A bit more information about the ZipFile topic:
SZ only puts out SRT (I would be very curious about an exploit) and handles ZIP files without writing anything to disk.
A ZIP file gets loaded into BytesIO and the subtitle in question gets extracted into memory, then the contents get read and processed.
It's virtually impossible to get around that.
Additional info about the exploits: https://blog.checkpoint.com/2017/07/08/hacked-translation-directors-cut-full-technical-details/
So basically: You're not affected as long as your player isn't vulnerable.
As for VLC: Sub-Zero only puts out SRT files, not ASS, which was used in the VLC exploit.
You may have seen this post by Check Point Software.
I can't say whether Sub-Zero is affected by those exploits, because they haven't been disclosed yet. I've seen the changes to the KODI and the PopcornTime repositories - KODI fixed Zip File path traversal issues, so I'm guessing that's at least one of the exploits Check Point have found.
ZipFile traversal doesn't pose a threat to Sub-Zero, as:
The other attack vector could be the subtitle format itself and how the player parses it. On that I have zero information, but this also isn't a problem for Sub-Zero, as it only ever outputs .SRT. I'm sure someone could mess up an SRT parser for a player that poses exploitability, but I'd like to see one first.
tl;dr: not an issue for Sub-Zero or subliminal