[Pkg-kde-extras] Bug#763423: kphotoalbum: Android support is great - but it has *no security*

Mark Eichin eichin at thok.org
Tue Sep 30 06:30:38 UTC 2014 

Package: kphotoalbum
Version: 4.5-1
Severity: normal

Just got the popup about trying the Android app, which acts as a remote
for the client, and I tried it and it worked... with *no access control*
or even a popup...

lsof confirms that kphotoalbum is just listening on a port:

kphotoalb 29586 eichin   25u  IPv4            1687321      0t0      UDP *:23455 

https://www.youtube.com/watch?v=TxtD7BG61Ro at +9m10s describes how to
turn it off, and there's a tiny button on the bottom of the screen to
turn it off.

I couldn't find a specific reference in the policy guide asserting that
things like this should be closed-by-default, but it just seems
obvious...

main.cpp has
    options.add("nolisten-network", ki18n( "Don't start listening for android devices on startup." ));

which is backwards - and looking a little bit more (and experimenting)
confirms that it doesn't *stay* off, it doesn't save the user's choice
to the config file.

Probably should be a higher severity than "normal" but I haven't
explored quite far enough to confirm that there really is no way to
cleanly leave it off.  It's a very nice feature, it's just not in any
way safe to have turned on by default...


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kphotoalbum depends on:
ii  kde-runtime        4:4.14.1-1
ii  libc6              2.19-11
ii  libexiv2-13        0.24-4
ii  libgcc1            1:4.9.1-15
ii  libjpeg8           8d1-1
ii  libkdcraw23        4:4.14.0-1
ii  libkdecore5        4:4.14.1-1
ii  libkdeui5          4:4.14.1-1
ii  libkio5            4:4.14.1-1
ii  libkipi11          4:4.13.3-1
ii  libphonon4         4:4.8.0-1
ii  libqt4-dbus        4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-network     4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-sql         4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-sql-sqlite  4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-xml         4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqtcore4         4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqtgui4          4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libstdc++6         4.9.1-15
ii  mplayer2           2.0-728-g2c378c7-2+b2
ii  perl               5.20.1-1
ii  phonon             4:4.8.0-1

Versions of packages kphotoalbum recommends:
pn  khelpcenter4  <none>
ii  kipi-plugins  4:4.1.0-1+b2
ii  libav-tools   6:11-1

kphotoalbum suggests no packages.

-- no debconf information

More information about the pkg-kde-extras mailing list