Bug#877656: kodi: supports insecure download of non-free addons

Jonas Smedegaard dr at jones.dk
Tue Oct 3 20:49:08 UTC 2017 

Package: kodi
Version: 2:17.3+dfsg1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Kodi supports downloading and loading addons at runtime.

Official addon feed is served only via http and contain non-free addons.

Allowing to extend the system with non-free addons at runtime by default
is arguably an anti-feature in itself.  Doing so insecurely poses a risk
of malicious code getting into users' home and executed by Kodi.

Attached patch relaxes to make addon feed optional.

I intend to move the addons feed configuration file to a separate
package "kodi-repository-kodi" and, at first, ship that package in main
recommended by kodi.

Later when an alternate package "kodi-repository-curated" is available¹,
I intend to favor that over kodi-repository-kodi and move the latter to
contrib.

 - Jonas


¹ I am setting up a web service "addons.debian.net" which (among other
things) will provide a curated feed of Kodi plugins, filtered to list
only DFSG-free addons.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnT98AACgkQLHwxRsGg
ASFMZxAAgXo0sDusWtQHM8KIRzEeYClOdpuL+91tzCCjgtQaHK2APUx94LyvDYuL
rDdv+Ej26g4paCk5tryCLkdwuJmdtpyfV8JlXwgDbPaaZP//fPqMazct+1jcz9bV
ALBG74QqFAjgeidUdZ2DlpIpZaCFB1M2Qaf/ertezTLiHu65jtPrLgx5NIsUYjKf
sXOdvQl3b0oXC3BABLhKEWzZEoB1L08DgTxn/H/xwMsKvgQ6UIYvBpiloiLIJ/pz
DRYvpF0crM3UD+wN53KM6YfzZuFeVeCbL1bZnlzz7Js9FleyFGMx7m6OTtwMIU4p
SgtaRm2atNkYrmjN+sjZjOWwGGmyKag7BUNWUDn/L++NZiTvxZ1Qvl1zk3cH9Pp+
pgN4CW1/6PYuj6Q75WPwnyGEaB0jssotCj6aiNF8nBf4IExPQ/o6tvTy3YEyOCfJ
woFiX+s1VymJOd7jvUX+h4VaG3adM4u2Ttj3p3E5qP4CjewiR2PC4nqQZymzaWSh
i+nSubGZ4mx70PIlSAKoCMptrC1yfRM9u9getz6q/bSWBLd5pO/gM74+MNNqeYj8
JpGebLdzdlRSny0tv3MPGdEl/iwCkhum3Br5UZCq+L1ZM6NsB3e1YGp/6QsYkNAI
ecWQGNN5/QEkPqz+uyiynf8FEhZn7GURJ6FiF49JN/T7Ly0oAeQ=
=pgk+
-----END PGP SIGNATURE-----
-------------- next part --------------
Description: Support omitting addons repository feed
 Upstream official addon repository feed contain non-free addons.
 .
 Extending the system at runtime is arguably an anti-feature -
 either for political reasons or due to security risks.
 .
 This patch makes it possible to omit the addons repository feed.
Author: Jonas Smedegaard <dr at jones.dk>
Last-Update: 2017-10-03
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/system/addon-manifest.xml
+++ b/system/addon-manifest.xml
@@ -21,7 +21,7 @@
   <addon>metadata.local</addon>
   <addon>metadata.themoviedb.org</addon>
   <addon>metadata.tvdb.com</addon>
-  <addon>repository.xbmc.org</addon>
+  <addon optional="true">repository.xbmc.org</addon>
   <addon>resource.images.weathericons.default</addon>
   <addon>resource.language.en_gb</addon>
   <addon>resource.uisounds.kodi</addon>

More information about the pkg-multimedia-maintainers mailing list