Bug#877656: kodi: supports insecure download of non-free addons
Felipe Sateler
fsateler at debian.org
Tue Oct 3 21:32:24 UTC 2017
On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <dr at jones.dk> wrote:
> Package: kodi
> Version: 2:17.3+dfsg1-2
> Severity: grave
This severity feels a bit inflated. After all, you can download and
run non-free programs using a web browser too!
> Tags: security upstream patch
> Justification: user security hole
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Kodi supports downloading and loading addons at runtime.
>
> Official addon feed is served only via http and contain non-free addons.
>
> Allowing to extend the system with non-free addons at runtime by default
> is arguably an anti-feature in itself. Doing so insecurely poses a risk
> of malicious code getting into users' home and executed by Kodi.
>
> Attached patch relaxes to make addon feed optional.
Making plugin feeds optional sounds good though.
>
> I intend to move the addons feed configuration file to a separate
> package "kodi-repository-kodi" and, at first, ship that package in main
> recommended by kodi.
>
> Later when an alternate package "kodi-repository-curated" is available¹,
> I intend to favor that over kodi-repository-kodi and move the latter to
> contrib.
I don't think moving to contrib makes sense. Either the package fits
the requirements for main or it doesn't.
I don't think this package should go in contrib, as it doesn't *need*
any software not available in main. So it should not be moved there.
--
Saludos,
Felipe Sateler
More information about the pkg-multimedia-maintainers
mailing list