On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard <d...@jones.dk> wrote: > Quoting Felipe Sateler (2017-10-03 23:32:24) >> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <d...@jones.dk> wrote: >> > Package: kodi >> > Version: 2:17.3+dfsg1-2 >> > Severity: grave >> >> This severity feels a bit inflated. After all, you can download and >> run non-free programs using a web browser too! > > When you browse into <https://evil.example.com/>, download scarycode.sh > from there and execute it in a shell, then you are to blame if your foot > gets blown away. > > If instead you open your media center, it automatically updates an addon > but the http connection gets hijacked and redirected to > http://evil.example.com/ where scarycode.sh instead gets loaded and > blows off your foot, then I dare say not you but your media center is to > blame.
Ah, this was key information I was missing (the automatic part). >> > Tags: security upstream patch >> > Justification: user security hole > > What severity would you use for user security hole? Or do you disagree > that using hardcoded http in an _internal_ interface is a user security > hole? > No, I don't disagree. I just misunderstood. > >> > Kodi supports downloading and loading addons at runtime. >> > >> > Official addon feed is served only via http and contain non-free >> > addons. >> > >> > Allowing to extend the system with non-free addons at runtime by >> > default is arguably an anti-feature in itself. Doing so insecurely >> > poses a risk of malicious code getting into users' home and executed >> > by Kodi. >> > >> > Attached patch relaxes to make addon feed optional. >> >> Making plugin feeds optional sounds good though. > > Right. > > I realize my choice of words might be confusing: feed is optional in > code with the patch, meaning it won't fail to start if missing. On the > packaging level I however intend at first to have kodi _recommend_ the > feed, so it will be pulled in by default - so until an alternative exist > it is an "opt-out" not an "opt-in". BTW, I think there are two issues conflated here: 1. Insecure downloading of code 2. Non-free addons available by default. I think your patch mainly addresses issue number 2, doesn't it? Fixing issue 1 would require asking upstream to provide https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade to a better hash algorithm). -- Saludos, Felipe Sateler
