Bug#877656: kodi: supports insecure download of non-free addons

Felipe Sateler fsateler at debian.org
Tue Oct 3 22:32:21 UTC 2017 

On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard <dr at jones.dk> wrote:
> Quoting Felipe Sateler (2017-10-03 23:32:24)
>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <dr at jones.dk> wrote:
>> > Package: kodi
>> > Version: 2:17.3+dfsg1-2
>> > Severity: grave
>>
>> This severity feels a bit inflated. After all, you can download and
>> run non-free programs using a web browser too!
>
> When you browse into <https://evil.example.com/>, download scarycode.sh
> from there and execute it in a shell, then you are to blame if your foot
> gets blown away.
>
> If instead you open your media center, it automatically updates an addon
> but the http connection gets hijacked and redirected to
> http://evil.example.com/ where scarycode.sh instead gets loaded and
> blows off your foot, then I dare say not you but your media center is to
> blame.

Ah, this was key information I was missing (the automatic part).

>> > Tags: security upstream patch
>> > Justification: user security hole
>
> What severity would you use for user security hole?  Or do you disagree
> that using hardcoded http in an _internal_ interface is a user security
> hole?
>

No, I don't disagree. I just misunderstood.

>
>> > Kodi supports downloading and loading addons at runtime.
>> >
>> > Official addon feed is served only via http and contain non-free
>> > addons.
>> >
>> > Allowing to extend the system with non-free addons at runtime by
>> > default is arguably an anti-feature in itself.  Doing so insecurely
>> > poses a risk of malicious code getting into users' home and executed
>> > by Kodi.
>> >
>> > Attached patch relaxes to make addon feed optional.
>>
>> Making plugin feeds optional sounds good though.
>
> Right.
>
> I realize my choice of words might be confusing: feed is optional in
> code with the patch, meaning it won't fail to start if missing.  On the
> packaging level I however intend at first to have kodi _recommend_ the
> feed, so it will be pulled in by default - so until an alternative exist
> it is an "opt-out" not an "opt-in".

BTW, I think there are two issues conflated here:

1. Insecure downloading of code
2. Non-free addons available by default.

I think your patch mainly addresses issue number 2, doesn't it? Fixing
issue 1 would require asking upstream to provide
https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade
to a better hash algorithm).



-- 

Saludos,
Felipe Sateler

More information about the pkg-multimedia-maintainers mailing list