Hacked in translation - is Sub-Zero affected?

[pannal]

You may have seen this post by Check Point Software.

I can't say whether Sub-Zero is affected by those exploits, because they haven't been disclosed yet. I've seen the changes to the KODI and the PopcornTime repositories - KODI fixed Zip File path traversal issues, so I'm guessing that's at least one of the exploits Check Point have found.

ZipFile traversal doesn't pose a threat to Sub-Zero, as:

• traversal when extracting is inhibited by the Python ZipFile library
• Sub-Zero doesn't extract to the filesystem directly, also it doesn't keep the filenames from inside the ZipFile at all

The other attack vector could be the subtitle format itself and how the player parses it. On that I have zero information, but this also isn't a problem for Sub-Zero, as it only ever outputs .SRT. I'm sure someone could mess up an SRT parser for a player that poses exploitability, but I'd like to see one first.

tl;dr: not an issue for Sub-Zero or subliminal

[pannal]

A bit more information about the ZipFile topic:

SZ only puts out SRT (I would be very curious about an exploit) and handles ZIP files without writing anything to disk.

A ZIP file gets loaded into BytesIO and the subtitle in question gets extracted into memory, then the contents get read and processed.

It's virtually impossible to get around that.

[pannal]

Additional info about the exploits: https://blog.checkpoint.com/2017/07/08/hacked-translation-directors-cut-full-technical-details/

So basically: You're not affected as long as your player isn't vulnerable.

As for VLC: Sub-Zero only puts out SRT files, not ASS, which was used in the VLC exploit.