OSMC Security Update for OSMC 2017.04-1 and earlier


#1

Platforms affected:

A vulnerability [1] which could allow remote code execution when downloading subtitles from a remote server has been identified in Kodi. This vulnerability is considered critical.


This is a companion discussion topic for the original entry at https://osmc.tv/2017/05/osmc-security-update-for-osmc-2017-04-1-and-earlier/

Vero 1 will not update to 17.3
#2

Thank you for this decision.


#3

I have just read about this vulnerability a couple of moments ago and, as a happy user of OSMC, came over to see when you are about to address this. Now even happier that it is sorted out. You are awesome! Thank you!


#4

My OSMC -> Updates -> Check for Updates will upgrade my OSMC to Krypton. How can I apply the security fix without upgrading OSMC? I’m using older version because it’s quite fast on RasPi.


#5

You can’t – this security fix requires Kodi Krypton as the fix is in Kodi itself and the way ZIP traversal is handled

Sam


#6

I just upgraded my Apple TV 1st Gen an now i get a sad face - please help


#8

Have you tried rebooting again? I got a sad face once, then it worked (RPi tho’)


#9

I had to follow these directions on my ATV1. These aren’t mine they were in the ATV section.

if you EVER incorrectly shutdown or reboot your ATV1, the boot partition will become Read-Only.
When that happens, the system will appear to operate normally until you need to update it. When you try updating it, it will fail because you cannot write to a Read-Only partition
***********************************************************
**** Do you have OSMC installed in the internal HDD ? ****
***********************************************************
To enable writing to the boot partition again, you need to ssh into osmc on your ATV1, and run the following commands:

sudo umount /boot
sudo fsck.hfsplus -f /dev/sda1
sudo mount -o force,rw /dev/sda1 /boot
Now that the parition is writable, you need to do the following commands to update the system.

sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot
Your system should then update and reboot.


** Do you have OSMC installed on USB, AND have an internal HDD in the ATV1 ? **


To enable writing to the boot partition again, you need to ssh into osmc on your ATV1, and run the following commands:

sudo umount /boot
sudo fsck.hfsplus -f /dev/sdb1
sudo mount -o force,rw /dev/sdb1 /boot
Now that the parition is writable, you need to do the following commands to update the system.

sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot
To try prevent this from happening in the future, always use the shutdown, and reboot menu within Kodi. (Unfortunately, if the the system ever crashes, or totally freezes forcing you to unplug the power, you will need to fix it again)


#10

Thanks for the fast work, Sam - nice one! You definitely don’t sleep on the job where security’s concerned :slight_smile:


#11

I did the update manually.
But it’s still version Krypton 17.2
And version 17.3 is the secure update version I guess?


#12

Kodi v17.2 has the security fix included.
Kodi v17.3 will come soon, but it’s not needed to secure your device. As long as you have OSMC 2017.04-2 installed, your system is secure from this vulnerability.


#13

Many thanks!
I’m new at this…


#14

No problem. That’s why we’re here :slight_smile: