how to find out if you were hit by it?
I also came in to try and make sense of this. I read the news on The Register.
https://www.theregister.co.uk/2017/05/23...es_return/
Little video on there shows how it works in both VLC and KODI
In the comments (
https://forums.theregister.co.uk/forum/1...es_return/ ) someone pointed out the issue is caused by the subtitles being downloaded in a zip file. When the zip file is unpacked there is no check on a directory traversal. So a file can be unpacked as ../blah putting it in the directory above. I assume this then is how they drop their payload they want to run.
So... for now, manually download your subs and check the zip file. Inside the zip should just be text files you can check in Notepad.
I don't know if this is a bug in the subtitles addon, or in the zip file unpacker. Or a bit of both.
Anybody see this article? According to this article
https://www.helpnetsecurity.com/2017/05/...itle-hack/
there is an updated fixed version of Kodi that prevents remote control access to your Kodi box. Is it posted yet on this website? How can I tell if I have a patched version?
Thanks for the info.
Moved to subtitle forum and merged into existing thread on same topic.
Came here after fumbling my way around the forums a bit and glad to see this subtitle vulnerability is fixed in 17.2
So great work seeing this fix so quickly
I first looked under "Kodi related discussions" thinking it was a logical place to start my search and quickly found the closed thread
Booby trapped subtitles.
However
Martijn's answer within Booby trapped subtitles points to a dead link.
Same
here.
I guess this is a result of the merge and move of this thread
To help others find this thread more easily, maybe a moderator (or Martijn himself if he has required privileges) can please fix the above links to point to this thread
Your welcome
Please note i just edited my post to include another dead link that needs updating, specifically
this one.
Thanks. That'll teach me to clean things up... I didn't want 20 different threads floating around the forum about the same thing so decided to start merging. Missed a couple!!
Nothing wrong with a single post threads under various forums with one answer pointing to a main thread in an appropriate forum to discussing the issue in depth.
After all it makes it easier for people to find 'the one and only thread' that contains that main discussion.
Your achieved just that and 2/20 isn't too bad a hit rate
Thanks for your efforts
Hi! I just wanted to say that I think having security fixes only for the latest release might not be the best course of action.
I understand not updating old releases with new features, totally. But not having security fixes risks leaving many, many people exposed for a variety of reasons.
I hope this decision can be changed. Thanks.
PS: I don't know how "easy" fix's implementation would be for previous releases.