Comment 1 Aaron Bauman (RETIRED) 2016-11-26 09:46:23 UTC

Looks like the target fix is version 17.0...

@maintainer(s), can you confirm if this is resolved in the current beta?

http://trac.kodi.tv/ticket/15198

Comment 2 Thomas Deutschmann (RETIRED) 2016-12-08 18:48:40 UTC

Upstream hasn't fixed the problem yet. Milestone was only adjusted.

@maintainer(s), can you confirm if this is resolved in the current? Are we safe to send to glsa?

Comment 4 Craig Andrews 2017-06-13 14:22:22 UTC

This issue has not been resolved.
~/.kodi/userdata/sources.xml is still world readable so the CVE should still be open. I'm talking to upstream now to get them to address it.

Comment 5 Aaron Bauman (RETIRED) 2019-03-24 01:37:55 UTC

(In reply to Craig Andrews from comment #4)
> This issue has not been resolved.
> ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> be open. I'm talking to upstream now to get them to address it.

Can this be fixed in post install?

Comment 6 Craig Andrews 2019-03-24 14:36:05 UTC

(In reply to Aaron Bauman from comment #5)
> (In reply to Craig Andrews from comment #4)
> > This issue has not been resolved.
> > ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> > be open. I'm talking to upstream now to get them to address it.
> 
> Can this be fixed in post install?

Since the file in question is in the user's home directory, I can't think of how the ebuild could find it (since it doesn't know all the users and their home directories). Also, the file isn't created until the user runs Kodi, so even if the ebuild did know it would be, it wouldn't be there until first run.

I'm open to suggestions (and corrections, if I'm wrong, of course).

Comment 7 Aaron Bauman (RETIRED) 2019-03-24 15:22:56 UTC

(In reply to Craig Andrews from comment #6)
> (In reply to Aaron Bauman from comment #5)
> > (In reply to Craig Andrews from comment #4)
> > > This issue has not been resolved.
> > > ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> > > be open. I'm talking to upstream now to get them to address it.
> > 
> > Can this be fixed in post install?
> 
> Since the file in question is in the user's home directory, I can't think of
> how the ebuild could find it (since it doesn't know all the users and their
> home directories). Also, the file isn't created until the user runs Kodi, so
> even if the ebuild did know it would be, it wouldn't be there until first
> run.
> 
> I'm open to suggestions (and corrections, if I'm wrong, of course).

Ah, sorry.  I should have read better :)

Comment 8 Yury German 2019-03-27 01:21:16 UTC

Maintainers, please confirm. The fix is probably in the tree long time ago.

Comment 9 John Helmert III 2020-07-13 17:36:02 UTC

Ping. Maintainer, is this still a problem?

Comment 10 Craig Andrews 2020-08-02 03:11:05 UTC

As far as I can tell, this issue is still a problem. I've reported the issue upstream at https://github.com/xbmc/xbmc/issues/18241