LibreELEC and Kodi 17.2 Security Patch

1st Official Post

    Is there any work being done to Release LibreELEC with Kodi 17.2? I have been reading about a major security hole in Kodi 17.1 and below.

    I'm currently running two asus chrome boxes with LibreELEC 8.0.1

    • Official Post

    I hope you're not calling us lazy... ;)

    Apparently Kodi 17.3 is also on the way, so we're waiting on that for now. Not to mention the other stuff that needs to be implemented and tested.

    Quote from Klojum

    I hope you're not calling us lazy... ;)

    Apparently Kodi 17.3 is also on the way, so we're waiting on that for now. Not to mention the other stuff that needs to be implemented and tested.

    With all due respect, are you just going to completely ignore the massive security implications and do absolutely nothing until 17.3 is out and tested? That leaves users absolutely vulnerable for god knows how long, I know making a system isn't a cut and paste job, but this is honestly irresponsible.

    • Official Post
    Quote from TerminalBlue

    With all due respect, are you just going to completely ignore the massive security implications and do absolutely nothing until 17.3 is out and tested? That leaves users absolutely vulnerable for god knows how long, I know making a system isn't a cut and paste job, but this is honestly irresponsible.

    Feel free to build LibreELEC yourself if you are that concerned. All the code is public.

    In the meantime I'd advise not downloading any unknown zip files ;)

    Quote from lrusak

    Feel free to build LibreELEC yourself if you are that concerned. All the code is public.

    In the meantime I'd advise not downloading any unknown zip files ;)

    I mean, I personally am not concerned since I know about the issue. But all the other users who don't are vulnerable. I would atl east consider a blog post as a warning. Between the "hardcoded" SSH password and handling of this, I am concerned about LibreELEC's stance on user security, honestly.

    Edit: 'Just to clarify, I'm not expecting people to work around the clock on a free project for me. I just think the issue should be handled differently. Let at least a part of your userbase know via blog posts, forum accouncements, etc. You may be the biggest distro for RPi devices, I think it's very important to take issues like this very seriously.

    Edited once, last by TerminalBlue (May 24, 2017 at 10:28 PM).

    • Official Post

    We have to balance the importance of the security update against the ignorance of our userbase. The breakage issues with 17.2 that result in 17.3 mostly don't concern us so we could ship something quickly, but then there are tens of thousands of users who will whine and moan like crazy if we give them 17.2 once 17.3 is available. So for the sake of waiting 12h while Kodi fix the 17.2 issues, we'll wait. Meanwhile it's 4.40am here and I'll get back to building test releases so we can move quickly once things are merged upstream so that "but you're not treating it seriously" whiny folk can get off our case and go back to polishing their tin foil hats.

    Quote from stream

    Is there a workaround that I can use ? I am quite happy with the build I am on. Is disabling subtitles enough?

    Mostly enough.

    The Kodi flaw (which is different than the VLC flaw) is called a directory traversal.

    Any evil zip file Kodi downloads could have a directory traversal. For example, a subtitles file or a video addon.

    The subtitles thing is a problem because subtitles are just text. Evil subtitles shouldn't be able to compromise to system.

    For video addons it's not as big a problem, because you already shouldn't be downloading evil video addons. Video addons contain code, so you always need to trust then.

    Quote from stream

    Is there a workaround that I can use ? I am quite happy with the build I am on. Is disabling subtitles enough?

    Just don't use an automatic subtitle downloader add-on.

    Edited once, last by trent: seems to be more of a unzip exploit (May 25, 2017 at 11:14 AM).

    Quote from bompelbob

    How do I know if my system has already been compromised?

    In general it's difficult to prove a system hasn't been compromised, given that malware can hide itself.

    But don't worry. This wasn't a "zero day". So unless your system starts acting weirdly, you can probably assume you're safe.

    Quote from lrusak

    Feel free to build LibreELEC yourself if you are that concerned. All the code is public.

    In the meantime I'd advise not downloading any unknown zip files ;)

    It's rude to suggest users to build it yourself while you yourself know how hard it is for an inexperienced user to build. Team LibreELEC and Team Kodi needs to care more about security issues. For now it's like: " I don't care about your issues, take care of it yourself!". Remember you have a responsibility.

    • Official Post

    With LibreELEC is not just about the Kodi application, it needs to fit various types of hardware. It's very preferable to release LE 8.0.2 for all officially supported devices. Not doing so creates different problems, amongst other "Why is LE 8.0.2 released for that device, and not for 'my device'?".

    So doing another LE release after a Kodi release takes a bit time. Kodi 17.3 was issued... May 25th. People are yelling for LE 8.0.2.

    LibreELEC 8.0.2 with Kodi 17.3 is currently being tested. What is today's date again?

    Understood.

    In the meantime, what can we do to protect ourselves? Will it be sufficient disabling subtitles and disabling subtitles-download addons?

    I suppose that scanning the library for *.zip files and removing them would be prudent as well?

    Thanks in advance.