Bug#693301: [Secure-testing-team] Bug#693301: MediaTomb always bind to all interfaces regardless of configuration settings
Yves-Alexis Perez
corsac at debian.org
Thu Nov 15 12:15:05 UTC 2012
Control: severity -1 important
On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote:
> Package: mediatomb-common
> Version: 0.12.1-4+b1
> Severity: critical
No need to over-estimate severity.
> File: /usr/bin/mediatomb
> Tags: security
>
> Attempt to force mediatomb to bind to a specific IP address (or interface) is
> ignored. E.g. I've tried to change setting in /etc/default/mediatomb as
> follows:
> OPTIONS="-i 10.0.10.2"
>
> and mediatomb is started with the "-i 10.0.10.2" option:
>
> $ pgrep -a mediatomb
> 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g
> mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2
>
> but it binds to all interfaces:
>
> $ sudo netstat -anp | grep mediatomb
> tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN
> 17000/mediatomb
> udp 0 0 0.0.0.0:1900 0.0.0.0:*
> 17000/mediatomb
> udp 0 0 127.0.0.1:39862 0.0.0.0:*
> 17000/mediatomb
>
> Apparently this has been reported upstream:
>
> http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780
>
> but this is not fixed. Could the debian team please fix this issue in the
> debian package, since it is obviously a security issue?
>
>
Is the feature supposed to be supported by mediatomb (and it doesn't
work) or is it not supported at all?
Regards,
--
Yves-Alexis
More information about the pkg-multimedia-maintainers
mailing list