Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536366 (CVE-2014-3800) - media-tv/kodi: Password disclosure vulnerability (CVE-2014-3800)
Summary: media-tv/kodi: Password disclosure vulnerability (CVE-2014-3800)
Status: IN_PROGRESS
Alias: CVE-2014-3800
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/xbmc/xbmc/issues/1...
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-11 21:31 UTC by GLSAMaker/CVETool Bot
Modified: 2020-08-02 03:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 21:31:33 UTC
CVE-2014-3800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3800):
  XBMC 13.0 uses world-readable permissions for .xbmc/userdata/sources.xml,
  which allows local users to obtain user names and passwords by reading this
  file.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-26 09:46:23 UTC
Looks like the target fix is version 17.0...

@maintainer(s), can you confirm if this is resolved in the current beta?

http://trac.kodi.tv/ticket/15198
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-08 18:48:40 UTC
Upstream hasn't fixed the problem yet. Milestone was only adjusted.
Comment 3 Michael Boyle 2017-06-13 02:29:46 UTC
@maintainer(s), can you confirm if this is resolved in the current? Are we safe to send to glsa?
Comment 4 Craig Andrews gentoo-dev 2017-06-13 14:22:22 UTC
This issue has not been resolved.
~/.kodi/userdata/sources.xml is still world readable so the CVE should still be open. I'm talking to upstream now to get them to address it.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 01:37:55 UTC
(In reply to Craig Andrews from comment #4)
> This issue has not been resolved.
> ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> be open. I'm talking to upstream now to get them to address it.

Can this be fixed in post install?
Comment 6 Craig Andrews gentoo-dev 2019-03-24 14:36:05 UTC
(In reply to Aaron Bauman from comment #5)
> (In reply to Craig Andrews from comment #4)
> > This issue has not been resolved.
> > ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> > be open. I'm talking to upstream now to get them to address it.
> 
> Can this be fixed in post install?

Since the file in question is in the user's home directory, I can't think of how the ebuild could find it (since it doesn't know all the users and their home directories). Also, the file isn't created until the user runs Kodi, so even if the ebuild did know it would be, it wouldn't be there until first run.

I'm open to suggestions (and corrections, if I'm wrong, of course).
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 15:22:56 UTC
(In reply to Craig Andrews from comment #6)
> (In reply to Aaron Bauman from comment #5)
> > (In reply to Craig Andrews from comment #4)
> > > This issue has not been resolved.
> > > ~/.kodi/userdata/sources.xml is still world readable so the CVE should still
> > > be open. I'm talking to upstream now to get them to address it.
> > 
> > Can this be fixed in post install?
> 
> Since the file in question is in the user's home directory, I can't think of
> how the ebuild could find it (since it doesn't know all the users and their
> home directories). Also, the file isn't created until the user runs Kodi, so
> even if the ebuild did know it would be, it wouldn't be there until first
> run.
> 
> I'm open to suggestions (and corrections, if I'm wrong, of course).

Ah, sorry.  I should have read better :)
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 01:21:16 UTC
Maintainers, please confirm. The fix is probably in the tree long time ago.
Comment 9 John Helmert III gentoo-dev Security 2020-07-13 17:36:02 UTC
Ping. Maintainer, is this still a problem?
Comment 10 Craig Andrews gentoo-dev 2020-08-02 03:11:05 UTC
As far as I can tell, this issue is still a problem. I've reported the issue upstream at https://github.com/xbmc/xbmc/issues/18241