Bug#877656: marked as done (kodi: supports insecure download of non-free addons)

[Debian Bug Tracking System]

Your message dated Thu, 05 Oct 2017 10:00:14 +0000
with message-id <e1e02ww-000fwe...@fasolo.debian.org>
and subject line Bug#877656: fixed in kodi 2:17.3+dfsg1-3
has caused the Debian Bug report #877656,
regarding kodi: supports insecure download of non-free addons
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: kodi
Version: 2:17.3+dfsg1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Kodi supports downloading and loading addons at runtime.

Official addon feed is served only via http and contain non-free addons.

Allowing to extend the system with non-free addons at runtime by default
is arguably an anti-feature in itself.  Doing so insecurely poses a risk
of malicious code getting into users' home and executed by Kodi.

Attached patch relaxes to make addon feed optional.

I intend to move the addons feed configuration file to a separate
package "kodi-repository-kodi" and, at first, ship that package in main
recommended by kodi.

Later when an alternate package "kodi-repository-curated" is available¹,
I intend to favor that over kodi-repository-kodi and move the latter to
contrib.

 - Jonas


¹ I am setting up a web service "addons.debian.net" which (among other
things) will provide a curated feed of Kodi plugins, filtered to list
only DFSG-free addons.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnT98AACgkQLHwxRsGg
ASFMZxAAgXo0sDusWtQHM8KIRzEeYClOdpuL+91tzCCjgtQaHK2APUx94LyvDYuL
rDdv+Ej26g4paCk5tryCLkdwuJmdtpyfV8JlXwgDbPaaZP//fPqMazct+1jcz9bV
ALBG74QqFAjgeidUdZ2DlpIpZaCFB1M2Qaf/ertezTLiHu65jtPrLgx5NIsUYjKf
sXOdvQl3b0oXC3BABLhKEWzZEoB1L08DgTxn/H/xwMsKvgQ6UIYvBpiloiLIJ/pz
DRYvpF0crM3UD+wN53KM6YfzZuFeVeCbL1bZnlzz7Js9FleyFGMx7m6OTtwMIU4p
SgtaRm2atNkYrmjN+sjZjOWwGGmyKag7BUNWUDn/L++NZiTvxZ1Qvl1zk3cH9Pp+
pgN4CW1/6PYuj6Q75WPwnyGEaB0jssotCj6aiNF8nBf4IExPQ/o6tvTy3YEyOCfJ
woFiX+s1VymJOd7jvUX+h4VaG3adM4u2Ttj3p3E5qP4CjewiR2PC4nqQZymzaWSh
i+nSubGZ4mx70PIlSAKoCMptrC1yfRM9u9getz6q/bSWBLd5pO/gM74+MNNqeYj8
JpGebLdzdlRSny0tv3MPGdEl/iwCkhum3Br5UZCq+L1ZM6NsB3e1YGp/6QsYkNAI
ecWQGNN5/QEkPqz+uyiynf8FEhZn7GURJ6FiF49JN/T7Ly0oAeQ=
=pgk+
-----END PGP SIGNATURE-----

Description: Support omitting addons repository feed
 Upstream official addon repository feed contain non-free addons.
 .
 Extending the system at runtime is arguably an anti-feature -
 either for political reasons or due to security risks.
 .
 This patch makes it possible to omit the addons repository feed.
Author: Jonas Smedegaard <d...@jones.dk>
Last-Update: 2017-10-03
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/system/addon-manifest.xml
+++ b/system/addon-manifest.xml
@@ -21,7 +21,7 @@
   <addon>metadata.local</addon>
   <addon>metadata.themoviedb.org</addon>
   <addon>metadata.tvdb.com</addon>
-  <addon>repository.xbmc.org</addon>
+  <addon optional="true">repository.xbmc.org</addon>
   <addon>resource.images.weathericons.default</addon>
   <addon>resource.language.en_gb</addon>
   <addon>resource.uisounds.kodi</addon>

--- End Message ---

--- Begin Message ---

Source: kodi
Source-Version: 2:17.3+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
kodi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated kodi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Oct 2017 03:53:10 +0200
Source: kodi
Binary: kodi kodi-data kodi-bin kodi-eventclients-common kodi-eventclients-dev 
kodi-eventclients-wiiremote kodi-eventclients-ps3 kodi-eventclients-kodi-send 
kodi-addons-dev kodi-repository-kodi xbmc xbmc-bin xbmc-eventclients-common 
xbmc-eventclients-dev xbmc-eventclients-wiiremote xbmc-eventclients-ps3 
xbmc-eventclients-xbmc-send xbmc-addons-dev
Architecture: source amd64 all
Version: 2:17.3+dfsg1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
 kodi       - Open Source Home Theatre (executable binaries)
 kodi-addons-dev - Open Source Home Theatre (Addons Dev package)
 kodi-bin   - Open Source Home Theatre (architecture-dependent files)
 kodi-data  - Open Source Home Theatre (arch-independent data package)
 kodi-eventclients-common - Open Source Home Theatre (Event Client Common 
package)
 kodi-eventclients-dev - Open Source Home Theatre (Event Client Dev package)
 kodi-eventclients-kodi-send - Open Source Home Theatre (Event Client Kodi-SEND 
package)
 kodi-eventclients-ps3 - Open Source Home Theatre (Event Client PS3 package)
 kodi-eventclients-wiiremote - Open Source Home Theatre (Event Client WII 
Remote support package
 kodi-repository-kodi - Open Source Home Theatre (official addons repository 
feed)
 xbmc       - transitional dummy package
 xbmc-addons-dev - transitional dummy package
 xbmc-bin   - transitional dummy package
 xbmc-eventclients-common - transitional dummy package
 xbmc-eventclients-dev - transitional dummy package
 xbmc-eventclients-ps3 - transitional dummy package
 xbmc-eventclients-wiiremote - transitional dummy package
 xbmc-eventclients-xbmc-send - transitional dummy package
Closes: 853476 877656
Changes:
 kodi (2:17.3+dfsg1-3) unstable; urgency=medium
 .
   * Fix set core configure options to all instances.
   * Set configure options --disable-maintainer-mode
     --disable-silent-rules (unused now but might be added in future).
   * Fix avoid custom build rule silencing.
   * Fix FTBFS: Build-depend on and build with gcc-6 and g++-6 (until
     bug#841556 is fixed).
     Closes: Bug#853476. Thanks to Matthias Klose and Bálint Réczey.
   * Modernize Vcs-* fields:
     + Use https (not git or http) protocol.
     + Use git (not gitweb) in path.
   * Use https in Homepage URL.
   * Add myself as uploader.
   * Add patch 18 to support omitting addon repository feed.
   * Ship repository feed in separate package kodi-repository-kodi.
     Closes: Bug#877656 (or arguably only lowers severity of it, but
     since we cannot track that versioned better to close and track the
     lowered severity separately).
Checksums-Sha1:
 9a821fe34817c81f568bd7258da159fad401178a 5778 kodi_17.3+dfsg1-3.dsc
 b866114bfc293e350b04ca9bb044ccc171722684 38828 kodi_17.3+dfsg1-3.debian.tar.xz
 947ae5c8ceb63a0170018476d36144ceadaa990f 83618 
kodi-addons-dev_17.3+dfsg1-3_amd64.deb
 e7b4d5903e0f4eed52951769a2a07f2746bfdaab 89262156 
kodi-bin-dbgsym_17.3+dfsg1-3_amd64.deb
 7f4297263209d0577609b59277fadf29ec85838d 6224232 
kodi-bin_17.3+dfsg1-3_amd64.deb
 c8e9b0530a17ca452f344dc769660e646dbb4894 17936262 
kodi-data_17.3+dfsg1-3_all.deb
 1e45f85178f9d344ca71338746cc0cc80a5208c1 34920 
kodi-eventclients-common_17.3+dfsg1-3_all.deb
 2faf935d83d3674f12987c42305157514b067e7d 21170 
kodi-eventclients-dev_17.3+dfsg1-3_all.deb
 fee0a9579e412e36a54fee113af76d7ff12e2424 14090 
kodi-eventclients-kodi-send_17.3+dfsg1-3_all.deb
 35570a5f2c843849f637b523ae96fe395f218fbf 15294 
kodi-eventclients-ps3_17.3+dfsg1-3_all.deb
 d0ae19c098f5d2686e15a4c253a48661d6235561 111506 
kodi-eventclients-wiiremote-dbgsym_17.3+dfsg1-3_amd64.deb
 5b2f99684b870c6829c38d550534e2d7318b5e7f 31988 
kodi-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 0dad6bb1c9c79ef417cd84e0465175f876d5cff8 38872 
kodi-repository-kodi_17.3+dfsg1-3_all.deb
 b59dbba5738d1c379ddb90e08ace044ed9859bb0 28620 
kodi_17.3+dfsg1-3_amd64.buildinfo
 8233597e410cdee873c5ad75ecdbee735798669a 17640 kodi_17.3+dfsg1-3_amd64.deb
 7d488cf5a165d793b92336daf3426f557a215fd1 11944 
xbmc-addons-dev_17.3+dfsg1-3_all.deb
 525c36773f8c817943424b75840619be3fee733e 11946 xbmc-bin_17.3+dfsg1-3_amd64.deb
 8d1bf2c2f2f28815ee39cc997bb930333d71c191 11952 
xbmc-eventclients-common_17.3+dfsg1-3_all.deb
 6b54f88eec6dda2ea3ceb19c2c057be54deddb4c 11944 
xbmc-eventclients-dev_17.3+dfsg1-3_all.deb
 a42f22dc9de2012925bd53125896a6bf9789f35d 11940 
xbmc-eventclients-ps3_17.3+dfsg1-3_all.deb
 d1987869feb68a653b244bf3f56c4fc35af46778 11950 
xbmc-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 b0572d22d67fa0d793490b85bf5beeb9f9dd6954 11952 
xbmc-eventclients-xbmc-send_17.3+dfsg1-3_all.deb
 e98bd63ad08291f2f80e8e421b549136d1859cf4 12006 xbmc_17.3+dfsg1-3_all.deb
Checksums-Sha256:
 8391181525d4727174dab9fb79e62462d69f970674fd93734de326fe090de4c9 5778 
kodi_17.3+dfsg1-3.dsc
 232bad60c315084ba2ca321b586cb2fab3cabf666dcce3cfd4d74bdde1623104 38828 
kodi_17.3+dfsg1-3.debian.tar.xz
 dfaa5f65277b9fdab998c94c3ba7767f35308e92eb4cf56913f97cad957392e6 83618 
kodi-addons-dev_17.3+dfsg1-3_amd64.deb
 c204bc69bdcac5a2a3eb951ba058b7d04a0a44745d5b7540a98a4aa6f8bf3aa5 89262156 
kodi-bin-dbgsym_17.3+dfsg1-3_amd64.deb
 d8634a4e1fc7b4cfb6fcc3d972d3f6f2e1ce99f5c267318c738873448904d5bc 6224232 
kodi-bin_17.3+dfsg1-3_amd64.deb
 191d184a7cd4ac418a796cb80f54c3f9c60624f3319511b840d6211ad50466df 17936262 
kodi-data_17.3+dfsg1-3_all.deb
 e225ce099b8a600a7277a842aad5145bf937be48cbabb16bf447246f760a3824 34920 
kodi-eventclients-common_17.3+dfsg1-3_all.deb
 644df1bb3c9f40b033d849f82b573b62e8bb348188b2cb4c3041d02ad6f8e114 21170 
kodi-eventclients-dev_17.3+dfsg1-3_all.deb
 8ccb3f0b7f21d9a1e847984a09ba89c278cbfb0b8be73fa1e3d7b04b1b8f8c0b 14090 
kodi-eventclients-kodi-send_17.3+dfsg1-3_all.deb
 e91ff22e6982690cbe6a16c229541fb609640f3a531a744ca6a5d240c36bdb92 15294 
kodi-eventclients-ps3_17.3+dfsg1-3_all.deb
 92ea1762174a36e2d88e33ce0125e8f9ec0369d2d76d8a5997b03869118f57a9 111506 
kodi-eventclients-wiiremote-dbgsym_17.3+dfsg1-3_amd64.deb
 f481c0d87398a5147c94e8bdcaabbb26fdc645d62e1cf16b1df83d0db3bbd0ef 31988 
kodi-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 7c921337a3354a42e224d86291bbcb56d12f5e49920235b9fdc315a8bc4ac60b 38872 
kodi-repository-kodi_17.3+dfsg1-3_all.deb
 e202bb777520178ab19c77a72a25562e61ef009d5e0abe104b48b6db56e9d591 28620 
kodi_17.3+dfsg1-3_amd64.buildinfo
 a3549b6fd928b0ed75655a1a76de629c410fcca716149608c7dc2ec028318bf0 17640 
kodi_17.3+dfsg1-3_amd64.deb
 0c6a5aa70e3f94bd7ace8693a5e93710304690ff59e6c3fc297477ac10fbd635 11944 
xbmc-addons-dev_17.3+dfsg1-3_all.deb
 a886eb281e8dc45a88e7bfc9b2064a78f959b7da0513317f5889e50b0bbf0698 11946 
xbmc-bin_17.3+dfsg1-3_amd64.deb
 3fae471646dc12cb31fc1e7d377140cf4edd3a366462a202292689e1546238f7 11952 
xbmc-eventclients-common_17.3+dfsg1-3_all.deb
 4c1ff7c8ba40d4a777ae4d4b64e35dc49cf660bc8c3af8f3a9f3e61af010ec49 11944 
xbmc-eventclients-dev_17.3+dfsg1-3_all.deb
 41eaa34ec68da6040381ad1088fe33484b0b16e69b725a858e16754084852d27 11940 
xbmc-eventclients-ps3_17.3+dfsg1-3_all.deb
 5025c00ebc5510679677d92e9b451982f354069e2ce0da7cc5ddb63cd5064fee 11950 
xbmc-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 2c981174032b84bb31cde93140123b53760c0dfce283d4e83d43caf413200ed8 11952 
xbmc-eventclients-xbmc-send_17.3+dfsg1-3_all.deb
 c7586335327a238565505fff6a9822f07f3e218fc6d64bf0bdc5fbc28208e3af 12006 
xbmc_17.3+dfsg1-3_all.deb
Files:
 fef387c436a6c452f97d090972b7cdf6 5778 video optional kodi_17.3+dfsg1-3.dsc
 2fe2f0e4302e856fcc372bc4a9638276 38828 video optional 
kodi_17.3+dfsg1-3.debian.tar.xz
 c60ecefd0c43a7e6362be5abf84cde09 83618 libdevel optional 
kodi-addons-dev_17.3+dfsg1-3_amd64.deb
 c8a0e0bdfd74fad6e8abb482c436f1c7 89262156 debug optional 
kodi-bin-dbgsym_17.3+dfsg1-3_amd64.deb
 0f63ea80667dd5fa5b6b393f6fc245f1 6224232 video optional 
kodi-bin_17.3+dfsg1-3_amd64.deb
 e6862a93d966b15d3516000f82641294 17936262 video optional 
kodi-data_17.3+dfsg1-3_all.deb
 d30c53eb03709fb0954787ed16acae5c 34920 video optional 
kodi-eventclients-common_17.3+dfsg1-3_all.deb
 d059b28a1a111ee7073bd2123fad8bd3 21170 libdevel optional 
kodi-eventclients-dev_17.3+dfsg1-3_all.deb
 81004e82a598d3a50b8813e61951b648 14090 video optional 
kodi-eventclients-kodi-send_17.3+dfsg1-3_all.deb
 9016a2478ad4b8401504a776d70e2937 15294 video optional 
kodi-eventclients-ps3_17.3+dfsg1-3_all.deb
 e20179598ee38d51d488c4498b617fac 111506 debug optional 
kodi-eventclients-wiiremote-dbgsym_17.3+dfsg1-3_amd64.deb
 ac7625d2333cfd9ac42ee09d4db30142 31988 video optional 
kodi-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 becc7304250b92a5f5f2755bdc17c8ff 38872 video optional 
kodi-repository-kodi_17.3+dfsg1-3_all.deb
 5fba832e3472d8afb57ba1bdd1ffa820 28620 video optional 
kodi_17.3+dfsg1-3_amd64.buildinfo
 232f79f32455b13a652810a1ae58d126 17640 video optional 
kodi_17.3+dfsg1-3_amd64.deb
 6e68a97cbc12d433812a5fb4d00f1011 11944 video optional 
xbmc-addons-dev_17.3+dfsg1-3_all.deb
 0b546c4fd3bdd57bc4019abb3e9f7000 11946 video optional 
xbmc-bin_17.3+dfsg1-3_amd64.deb
 7ea4d482ae8b7f8e928e0816d9ab4cf6 11952 video optional 
xbmc-eventclients-common_17.3+dfsg1-3_all.deb
 6ff2a82bd5f9459ec942c018f6ed88d5 11944 video optional 
xbmc-eventclients-dev_17.3+dfsg1-3_all.deb
 5196028686ed5ad4bc811477f7ca01b6 11940 video optional 
xbmc-eventclients-ps3_17.3+dfsg1-3_all.deb
 88f9845df153e3a92b851972638d9d98 11950 video optional 
xbmc-eventclients-wiiremote_17.3+dfsg1-3_amd64.deb
 cd38fb27e218aa2750d5fba213e1d661 11952 video optional 
xbmc-eventclients-xbmc-send_17.3+dfsg1-3_all.deb
 31b9b63f3a7c690ec452039da6e9ee7c 12006 video optional xbmc_17.3+dfsg1-3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnUQ1YACgkQLHwxRsGg
ASHkyg/9HaxsqwQMi6YRURNk1ApWcsmJY+ChTIWEaOrl/95Tj+E2mxNkXeKapzTB
PSZPk8DT6XaF5HBhDU47YWhE9BvJ+81Nqqi1ad0yhJVI4YFVsWpd3P79iWUGJlJ5
9k2r3aH6ni6E9aE6ZODXio2GoQFODkt8y0pXapgoaJ4oXwIAygp8G2TXfbRbHWbP
SPxXR9dbw4NbpCasRjNsRDCQHutmeyctnwFg+a2JXgbiC1gd0p+0iHrkypt6S8Cv
etoY9ulegS3rrj633HrBoodCo9FrYuhSr4oc6pC8qAxfmZmP+2gfVfZKFkV75rI1
Dh+tdZhE3rjynIkiXuQorz5Ej5qqVKVXdyfWxJcL60jL8pNGS8c8XeRbmqmZlqPG
lyfOonWacoW3moNwW0NVrVY/gndjwbt7i0cOT84n6eVgP/7K9evW6RI8ZyAA9DO7
eaH9sHPqQrlAxLemGReuC2p4UMWq1S6Pz1mrSLaBIFh+gq8vSHR1Ex1h+6Yv6RXz
c8bQxAAO4TuEINgyQkfMjB5aHmiQzip6piq2gob7ROKdbS1W9pze7PJGuJkaPTC2
gjhYRwtovZeTCVI+9f6sLLdfJi7GTqk44jzuvLP8urNhqlisVlKbS1G8lzWQFDAQ
AVU2MmjOEL0KU5GhK66Jgbd9NO7wthYzUEsteFf2jeAMbTFys/U=
=3Hdr
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers