Bug#877656: kodi: supports insecure download of non-free addons

2017-10-04 Thread Jonas Smedegaard 
Quoting IOhannes m zmölnig (2017-10-04 09:31:09)
> On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard  wrote:
> > Quoting Felipe Sateler (2017-10-04 00:32:21)
> > >
> > > I think your patch mainly addresses issue number 2, doesn't it? Fixing 
> > > issue 1 would require asking upstream to provide 
> > > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade 
> > > to a better hash algorithm).
> > 
> > Uhm, my patch is the very window to not requiring upstream to solve the 
> > security issue: 
> 
> are you sure you wanted to say this?
> 
> for me it kind of implies that:
> - either all users of kodi use it only through the packages provided
> (and patched) by Debian.
> - or any other users are not affected by the security concerns of using
> http:// (e.g because only the http-implementation provided by Debian is
> susceptible to mitm-attacks)
> - or all non-Debian users simply don't deserve a solution for that
> security fix.
> 
> i cannot agree with any of these points, and i do think that any bug
> with severity "grave" that is not specific to Debian should be forwarded
> to upstream to be solved there (well, actually *any* bug that is non
> Debian-sepcific, not just the grave ones) .

You read me wrong.

My patch allows us to _fix_ this bug without cordinating with upstream.

My patch does not, however, relieve us of our duty to _inform_ upstream 
of the underlying bug that it fixes.

Felipe stated that _fixing_ the bug _requires_ us to involve upstream, 
and I disagree with (only) that.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-04 Thread IOhannes m zmölnig 
On Wed, 04 Oct 2017 03:08:17 +0200 Jonas Smedegaard  wrote:
> Quoting Felipe Sateler (2017-10-04 00:32:21)
> >
> > I think your patch mainly addresses issue number 2, doesn't it? Fixing 
> > issue 1 would require asking upstream to provide 
> > https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade 
> > to a better hash algorithm).
> 
> Uhm, my patch is the very window to not requiring upstream to solve the 
> security issue: 

are you sure you wanted to say this?

for me it kind of implies that:
- either all users of kodi use it only through the packages provided
(and patched) by Debian.
- or any other users are not affected by the security concerns of using
http:// (e.g because only the http-implementation provided by Debian is
susceptible to mitm-attacks)
- or all non-Debian users simply don't deserve a solution for that
security fix.

i cannot agree with any of these points, and i do think that any bug
with severity "grave" that is not specific to Debian should be forwarded
to upstream to be solved there (well, actually *any* bug that is non
Debian-sepcific, not just the grave ones) .



signature.asc
Description: OpenPGP digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard 
Quoting Felipe Sateler (2017-10-04 00:32:21)
> On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard  wrote:
>> Quoting Felipe Sateler (2017-10-03 23:32:24)
>>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard  wrote:
 Kodi supports downloading and loading addons at runtime.

 Official addon feed is served only via http and contain non-free 
 addons.

 Allowing to extend the system with non-free addons at runtime by 
 default is arguably an anti-feature in itself.  Doing so insecurely 
 poses a risk of malicious code getting into users' home and 
 executed by Kodi.

 Attached patch relaxes to make addon feed optional.
>>>
>>> Making plugin feeds optional sounds good though.
>>
>> Right.
>>
>> I realize my choice of words might be confusing: feed is optional in 
>> code with the patch, meaning it won't fail to start if missing.  On 
>> the packaging level I however intend at first to have kodi 
>> _recommend_ the feed, so it will be pulled in by default - so until 
>> an alternative exist it is an "opt-out" not an "opt-in".
>
> BTW, I think there are two issues conflated here:
>
> 1. Insecure downloading of code
> 2. Non-free addons available by default.
>
> I think your patch mainly addresses issue number 2, doesn't it? Fixing 
> issue 1 would require asking upstream to provide 
> https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade 
> to a better hash algorithm).

Uhm, my patch is the very window to not requiring upstream to solve the 
security issue: When I can setup a curated service with DFSG-free parts, 
then (because my code will be released as Free software) you can setup a 
curated service of all parts.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Felipe Sateler 
On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard  wrote:
> Quoting Felipe Sateler (2017-10-03 23:32:24)
>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard  wrote:
>> > Package: kodi
>> > Version: 2:17.3+dfsg1-2
>> > Severity: grave
>>
>> This severity feels a bit inflated. After all, you can download and
>> run non-free programs using a web browser too!
>
> When you browse into , download scarycode.sh
> from there and execute it in a shell, then you are to blame if your foot
> gets blown away.
>
> If instead you open your media center, it automatically updates an addon
> but the http connection gets hijacked and redirected to
> http://evil.example.com/ where scarycode.sh instead gets loaded and
> blows off your foot, then I dare say not you but your media center is to
> blame.

Ah, this was key information I was missing (the automatic part).

>> > Tags: security upstream patch
>> > Justification: user security hole
>
> What severity would you use for user security hole?  Or do you disagree
> that using hardcoded http in an _internal_ interface is a user security
> hole?
>

No, I don't disagree. I just misunderstood.

>
>> > Kodi supports downloading and loading addons at runtime.
>> >
>> > Official addon feed is served only via http and contain non-free
>> > addons.
>> >
>> > Allowing to extend the system with non-free addons at runtime by
>> > default is arguably an anti-feature in itself.  Doing so insecurely
>> > poses a risk of malicious code getting into users' home and executed
>> > by Kodi.
>> >
>> > Attached patch relaxes to make addon feed optional.
>>
>> Making plugin feeds optional sounds good though.
>
> Right.
>
> I realize my choice of words might be confusing: feed is optional in
> code with the patch, meaning it won't fail to start if missing.  On the
> packaging level I however intend at first to have kodi _recommend_ the
> feed, so it will be pulled in by default - so until an alternative exist
> it is an "opt-out" not an "opt-in".

BTW, I think there are two issues conflated here:

1. Insecure downloading of code
2. Non-free addons available by default.

I think your patch mainly addresses issue number 2, doesn't it? Fixing
issue 1 would require asking upstream to provide
https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade
to a better hash algorithm).



-- 

Saludos,
Felipe Sateler

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard 
Quoting Felipe Sateler (2017-10-03 23:32:24)
> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard  wrote:
> > Package: kodi
> > Version: 2:17.3+dfsg1-2
> > Severity: grave
> 
> This severity feels a bit inflated. After all, you can download and
> run non-free programs using a web browser too!

When you browse into , download scarycode.sh 
from there and execute it in a shell, then you are to blame if your foot 
gets blown away.

If instead you open your media center, it automatically updates an addon 
but the http connection gets hijacked and redirected to 
http://evil.example.com/ where scarycode.sh instead gets loaded and 
blows off your foot, then I dare say not you but your media center is to 
blame.


> > Tags: security upstream patch
> > Justification: user security hole

What severity would you use for user security hole?  Or do you disagree 
that using hardcoded http in an _internal_ interface is a user security 
hole?


> > Kodi supports downloading and loading addons at runtime.
> >
> > Official addon feed is served only via http and contain non-free 
> > addons.
> >
> > Allowing to extend the system with non-free addons at runtime by 
> > default is arguably an anti-feature in itself.  Doing so insecurely 
> > poses a risk of malicious code getting into users' home and executed 
> > by Kodi.
> >
> > Attached patch relaxes to make addon feed optional.
> 
> Making plugin feeds optional sounds good though.

Right.

I realize my choice of words might be confusing: feed is optional in 
code with the patch, meaning it won't fail to start if missing.  On the 
packaging level I however intend at first to have kodi _recommend_ the 
feed, so it will be pulled in by default - so until an alternative exist 
it is an "opt-out" not an "opt-in".


> > I intend to move the addons feed configuration file to a separate 
> > package "kodi-repository-kodi" and, at first, ship that package in 
> > main recommended by kodi.
> >
> > Later when an alternate package "kodi-repository-curated" is 
> > available¹, I intend to favor that over kodi-repository-kodi and 
> > move the latter to contrib.
> 
> I don't think moving to contrib makes sense. Either the package fits 
> the requirements for main or it doesn't.
> 
> I don't think this package should go in contrib, as it doesn't *need* 
> any software not available in main. So it should not be moved there.

Whoops, that final part was not meant to be sent: I agree package being 
insecure is not a reason to move it to contrib (I got distracted by that 
other political aspect which we are not in consensus about).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Felipe Sateler 
On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard  wrote:
> Package: kodi
> Version: 2:17.3+dfsg1-2
> Severity: grave

This severity feels a bit inflated. After all, you can download and
run non-free programs using a web browser too!

> Tags: security upstream patch
> Justification: user security hole
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Kodi supports downloading and loading addons at runtime.
>
> Official addon feed is served only via http and contain non-free addons.
>
> Allowing to extend the system with non-free addons at runtime by default
> is arguably an anti-feature in itself.  Doing so insecurely poses a risk
> of malicious code getting into users' home and executed by Kodi.
>
> Attached patch relaxes to make addon feed optional.

Making plugin feeds optional sounds good though.

>
> I intend to move the addons feed configuration file to a separate
> package "kodi-repository-kodi" and, at first, ship that package in main
> recommended by kodi.
>
> Later when an alternate package "kodi-repository-curated" is available¹,
> I intend to favor that over kodi-repository-kodi and move the latter to
> contrib.

I don't think moving to contrib makes sense. Either the package fits
the requirements for main or it doesn't.

I don't think this package should go in contrib, as it doesn't *need*
any software not available in main. So it should not be moved there.

-- 

Saludos,
Felipe Sateler

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#877656: kodi: supports insecure download of non-free addons

2017-10-03 Thread Jonas Smedegaard 
Package: kodi
Version: 2:17.3+dfsg1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Kodi supports downloading and loading addons at runtime.

Official addon feed is served only via http and contain non-free addons.

Allowing to extend the system with non-free addons at runtime by default
is arguably an anti-feature in itself.  Doing so insecurely poses a risk
of malicious code getting into users' home and executed by Kodi.

Attached patch relaxes to make addon feed optional.

I intend to move the addons feed configuration file to a separate
package "kodi-repository-kodi" and, at first, ship that package in main
recommended by kodi.

Later when an alternate package "kodi-repository-curated" is available¹,
I intend to favor that over kodi-repository-kodi and move the latter to
contrib.

 - Jonas


¹ I am setting up a web service "addons.debian.net" which (among other
things) will provide a curated feed of Kodi plugins, filtered to list
only DFSG-free addons.

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnT98AACgkQLHwxRsGg
ASFMZxAAgXo0sDusWtQHM8KIRzEeYClOdpuL+91tzCCjgtQaHK2APUx94LyvDYuL
rDdv+Ej26g4paCk5tryCLkdwuJmdtpyfV8JlXwgDbPaaZP//fPqMazct+1jcz9bV
ALBG74QqFAjgeidUdZ2DlpIpZaCFB1M2Qaf/ertezTLiHu65jtPrLgx5NIsUYjKf
sXOdvQl3b0oXC3BABLhKEWzZEoB1L08DgTxn/H/xwMsKvgQ6UIYvBpiloiLIJ/pz
DRYvpF0crM3UD+wN53KM6YfzZuFeVeCbL1bZnlzz7Js9FleyFGMx7m6OTtwMIU4p
SgtaRm2atNkYrmjN+sjZjOWwGGmyKag7BUNWUDn/L++NZiTvxZ1Qvl1zk3cH9Pp+
pgN4CW1/6PYuj6Q75WPwnyGEaB0jssotCj6aiNF8nBf4IExPQ/o6tvTy3YEyOCfJ
woFiX+s1VymJOd7jvUX+h4VaG3adM4u2Ttj3p3E5qP4CjewiR2PC4nqQZymzaWSh
i+nSubGZ4mx70PIlSAKoCMptrC1yfRM9u9getz6q/bSWBLd5pO/gM74+MNNqeYj8
JpGebLdzdlRSny0tv3MPGdEl/iwCkhum3Br5UZCq+L1ZM6NsB3e1YGp/6QsYkNAI
ecWQGNN5/QEkPqz+uyiynf8FEhZn7GURJ6FiF49JN/T7Ly0oAeQ=
=pgk+
-END PGP SIGNATURE-
Description: Support omitting addons repository feed
 Upstream official addon repository feed contain non-free addons.
 .
 Extending the system at runtime is arguably an anti-feature -
 either for political reasons or due to security risks.
 .
 This patch makes it possible to omit the addons repository feed.
Author: Jonas Smedegaard 
Last-Update: 2017-10-03
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/system/addon-manifest.xml
+++ b/system/addon-manifest.xml
@@ -21,7 +21,7 @@
   metadata.local
   metadata.themoviedb.org
   metadata.tvdb.com
-  repository.xbmc.org
+  repository.xbmc.org
   resource.images.weathericons.default
   resource.language.en_gb
   resource.uisounds.kodi
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers