Ping.

CC: (none) => mageia

http://trac.kodi.tv/ticket/15198     still not fixed upstream

CC: (none) => mageia
CVE: (none) => http://openwall.com/lists/oss-security/2014/05/20/5

Upstream bug has been wrongly closed as duplicate. Wrongly because the other bug was only about password being stored in plain text, not about what the CVE is about: that those files are world-readable.

We need to check if they fixed the filemode since or let it as it.

Keywords: (none) => UPSTREAM
Priority: Normal => Low

Is there any possibility for a full kodi update from this bug?

CC: (none) => zombie_ryushu

I have checked, and this bug is still there on kodi-17.3. I'll check if we could not make the whole ~/.kodi not world readable.

CC: (none) => eatdirt

I have pushed a patch to kodi-17.3-8.mga6 adding a check and fixing to 700 the permission of the folder ~/.kodi containing the password files. So they are not world readable anymore. If you think this is enough, we could close this bug. Doing more would require seriously more work.

For a test, check first the permissions of ~/.kodi, that should be 755. Start kodi ("kodi" from the command-line), you'll get an message saying that the permissions are fixed to 700. Quit kodi, check the permission of ~/.kodi, that should be 700. Start kodi again, no message appears on the command line, permissions stay at 700.

Notice that if you have never used kodi before, the directory does not exist, it is created once kodi is running. In that case, the fix will occur the second times you'll start kodi.

Cheers,
Chris.

I think making ~/.kodi 700 is a really good solution.  Thanks for doing that.  Is there any way it could made to create it that way in the first place?  Then it'd be perfect.

As one of our users has been reminding us lately on IRC, Mageia 5 could use a kodi update too (if possible), so let's not close this just yet.

I did no dig too much into the cpp code dealing with filesystem, but there is no obvious way to fix permissions in there.

I have however improved the check/perms in the kodi starting script, so the permissions should be set to 700 after running kodi only once in all possible situations now (fix in kodi-17.3-9.mga6)

I'll check if this version can be built on mga5.

Easy check, answer is no way.

We got kodi-14.0 on mga5, and kodi-17.3 cannot be build due to various missing packages and too old versions of libraries. I'll push a new version of kodi-14.0 to fix the ~/.kodi permissions though.

I have uploaded an updated package to version 14.0-2.2 for Mageia 5. Please test at is recommended in Comment 6.

Suggested advisory:
========================

Updated Kodi package to fix world readable $HOME/.kodi directory which could potentially contain clear passwords for add-ons.

Security vulnerability: CVE-2014-3800

References:
http://openwall.com/lists/oss-security/2014/05/20/5
========================


Updated packages in core/updates_testing:
========================
kodi-14.0-2.2.mga5

Source RPMs: 
kodi-14.0-2.2.mga5.src.rpm

Assignee: anssi.hannula => qa-bugs

can we consider this fixed for cauldron ?

(In reply to Nicolas Lécureuil from comment #11)

> can we consider this fixed for cauldron ?

Yes

CC: (none) => wilcal.int

Naive question: the title cites 'xbmc' but the updated package is 'kodi'. If the latter is what this is about, can one change the title accordingly?

CC: (none) => lewyssmith

Yes.

x86_64 Mate - real hardware

Before update .kodi had 755 permissions.
After update:
$ kodi
INFO: /home/zack/.kodi is world readable!
INFO: switching to 700
Error: couldn't find RGB GLX visual or fbconfig
[zack@vega ~]$ ls -al | grep kodi
drwx------  8 zack zack    4096 Jun 28  2016 .kodi/

Working fine.

CC: (none) => tarazed25

I'm just not having any issues with Kodi on M6

MGA5-32 on Asus A6000VM Xfce
Installation: in the mean time version 14.2-2 is on updates, so I installed all kodi packages of this version, no issues.
I can play around with the menus in kodi, without doing anything usefull. Tried to get tvheadend to be able to access my Sony DVR camera, but get into configuration problems with tvheadend. Spendingb way too much time on it.
OK for me.

CC: (none) => herman.viaene

@Herman
Thanks for looking at this. There was no need to waste time playing with kodi. The issue (Comment 10, Comment 15) was just one of directory permissions. If you see that $HOME/.kodi is no longer world readable, that = OK.

IMO this needs to be put to rest.

drwxr-xr-x  8 tester5 tester5   4096 jun 14 11:05 .kodi/
So it us readable to the world.

To Herman: did you actually start kodi?

@Chris
You mean "Did I ever start Kodi": yes: see my Comment 17
Did I run Kodi at the time I checked the permissions: no
I tried now, made sure Kodi is running, then check the permissions: the same.

Ok, then, please, give us the chain of actions you have done to check the permissions, the command you have used to start kodi, eventually what was written on the terminal after kodi has been stopped. That would be require to debug.

Thanks!

At CLI:
$ kodi
no feedback at that time
Used ALT-TAB to get back to the CLI (xfce-terminal) and on a second tab:
$ pwd
/home/tester5
$ ls -als
and in that list I see:
 4 drwxr-xr-x  8 tester5 tester5   4096 jun 14 11:05 .kodi/
closing kodi in its own menu system gives no feedback in its terminal, just returns to the prompt.
and permissions on .kodi do not change then.

ARG!!

Could you enter this command and copy-paste the result?

rpm -qi kodi

And also, could you attach the content of:

/usr/bin/kodi

Thanks.

# rpm -qi kodi
Name        : kodi
Version     : 14.2
Release     : 2.mga5
Architecture: i586
Install Date: wo 14 jun 2017 11:04:28 CEST
Group       : Video/Players
Size        : 71466575
License     : GPLv2+ and GPLv2 and (LGPLv3+ with exceptions)
Signature   : RSA/SHA1, zo 26 jul 2015 08:30:52 CEST, Key ID b742fa8b80420f66
Source RPM  : kodi-14.2-2.mga5.src.rpm
Build Date  : zo 26 jul 2015 08:25:02 CEST
Build Host  : sucuk.mageia.org
Relocations : (not relocatable)
Packager    : buchan <buchan>
Vendor      : Mageia.Org
URL         : http://kodi.tv/
Summary     : Kodi - media player and home entertainment system
Description :
Kodi (formerly known as XBMC) is an award-winning free and open source
software media player and entertainment hub for digital media.

While Kodi functions very well as a standard media player application
for your computer, it has been designed to be the perfect companion
for your HTPC. Supporting an almost endless range of remote controls,
and combined with its beautiful interface and powerful skinning
engine, Kodi feels very natural to use from the couch and is the
ideal solution for your home theater.


This is the stable version of Kodi from the Helix release branch.
Support for RAR files is not included due to license issues.

and contents of /usr/bin/kodi in attachment.

Created attachment 9418 [details]
/usr/bin/kodi

(In reply to Herman Viaene from comment #27)
> # rpm -qi kodi
> Name        : kodi
> Version     : 14.2
> Release     : 2.mga5

That's the current validated version but not the update candidate Herman, which is why you still reproduce the bug. The correction version would be kodi-14.2-2.2.mga5, see comment 10.

@ Rémi
I hate to be picky, but Comment 10 refers to 14.0-2.2, but when I looked the first time at this bug, the repos already carried 14.2-2, thus a higher version. I see no kodi-14.2-2.2. in the repos now.

(In reply to Herman Viaene from comment #30)
> @ Rémi
> I hate to be picky, but Comment 10 refers to 14.0-2.2, but when I looked the
> first time at this bug, the repos already carried 14.2-2, thus a higher
> version. I see no kodi-14.2-2.2. in the repos now.

Sorry I misread the version number. You're testing the version in backports_testing (14.2), while this issue is about the updates_testing version (14.0-2):

14.2-2.mga5 // core-backports_testing (Mga, 5, x86_64)
14.0-2.2.mga5 // core-updates_testing (Mga, 5, x86_64)
14.0-2.mga5 // core-release (Mga, 5, x86_64)

So you need to downgrade (with `urpmi --downgrade kodi-14.0-2.2.mga5 --searchmedia "testing"`).

BTW that backport candidate should be either removed, or fixed similarly to the update candidate.

Let's remove this backport version, that's so confusing, I suspect all interested people in kodi are waiting mga6 and kodi-17 anyway.

Downgrading kodi does not change the existing .kodi folder, or uninstalling kodi does not remove the folder. I had to uninstall, manually remove the .kodi folder, install 14.0-2.2, then run kodi and the in get:
$ kodi
INFO: /home/tester5/.kodi is world readable!
INFO: switching to 700
and
4 drwx------  8 tester5 tester5  4096 jun 17 16:13 .kodi/
If that is acceptable, OK for me.

Yes, that's fine, thank you Herman. Sorry for the confusion with all the versions around.

Running kodi after downgrading from the backports testing version to the updates
testing version did change the permissions here ...
$ kodi &
[2] 11626
INFO: /home/dave/.kodi is world readable!
INFO: switching to 700
$ ll -a|grep kodi
drwx------   8 dave dave     4096 Sep  7  2016 .kodi/

Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0179.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED