If you have seen a notification about an update for Kodi to fix security concerns, or use subtitles when in Kodi or a similar application, this post details the changes you may make to need to ensure your mini home theatre PC or other gadget is secure.
Kodi 17.3 has been released today in quick succession to 17.2
Although 17.2 addressed the concerns raised over security, it still introduced some minor bugs, 17.3 addresses there:
Fixed missing binary add-ons on release time
Fixed crash on older distros like Ubuntu 14.04 with GCC 4.8 compiler
Some code within VLC (some of which is used within Kodi) has been found to not be properly sandboxed. If a malformed (maliciously) subtitle is loaded up, the attacker could theoretically gain access to other areas of your Android device.
In its self, by no means the worst news we have in this world right now, but an insecure device on your network could be a staging point for other, more sensitive devices in your home.
If you never use subtitles when watching video streams (nor see them appear automatically most of the time), there is not a pressing need to update immediately.
Kodi 17 (Krypton)
If you currently use subtitles in version 17.0 or 17.1 either disable them entirely or at least disable automatic download. To do this, click the Settings icon of a cog in Kodi’s homescreen, then click on the Player entry. Now select the Language area, “Auto download first subtitle” should not be enabled.
To contine to use subtitles, you can update to Kodi 17.3 via Google’s Play Store or directly via an APK file from https://www.apkmirror.com/apk/xbmc-foundation/kodi/kodi-17-3-release/.
If either approach does not allow the update to occur, return to the Play Store and click the Uninstall button. Once this completes, press the Install button.
You can check which version of Kodi Krypton you are currently running by clicking the System shortcut (an icon of a cog) in Kodi’s homescreen, then click the System Information entry.
Kodi Jarvis (16) or earlier in Android, or DBMC (DroiX Media Centre), SPMC , Kodi in LibreELEC 7 or 8, OpenELEC 6
If you use subtitles disable the them for now. Check with the application author for an available update that came out in late May at the earliest.
If you run Kodi 16.1 or earlier in Android, check the Play Store for updates. If your device has Android 4 (KitKat), please see Get Kodi 17 (Krypton) On Android 4 Devices! for details about Kodi 17 alternatives (as Krypton/17 requires Android 5 or higher).
Check in the threads linked to for updates for FTMC and Mygica that fix the subtitle security issue.
DBMC users will need to switch to Kodi or the applications mentioned in the previous link if they need to use subtitles. Once SPMC is updated, we hope to be able to bring out an updated DroiX Media Centre as well. If you are happy to continue to use DBMC without subtitles, please click the System menu, then Add-ons, from here, My Add-ons or Installed Add-ons, then Subtitles. Long click on the installed services, select Info and then click Uninstall for each.
OpenELEC and LibreELEC 7 users can either switch to Android or disable subtitles (System, Add-ons, My Add-ons or Installed Add-ons, Subtitles, Long click on the installed services, select Info and then click Uninstall.)
If compatible updates are released for either operating system we will post the news here at this blog.
SPMC, FTMC, Mygica
Check for any FTMC and Mygica updates in the threads linked here, that fix the subtitle security issue.