Bug#693301: [Secure-testing-team] Bug#693301: MediaTomb always bind to all interfaces regardless of configuration settings

Vladimir Volovich vladimir.volovich at gmail.com
Thu Nov 15 12:48:43 UTC 2012 

(sorry for the duplicate email - forgot to send a CC to bugs.debian.org)

On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <corsac at debian.org> wrote:
> Control: severity -1 important
>
> On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote:
>> Package: mediatomb-common
>> Version: 0.12.1-4+b1
>> Severity: critical
>
> No need to over-estimate severity.

Critical is described as "makes unrelated software on the system (or
the whole system) break, or causes serious data loss, or introduces a
security hole on systems where you install the package."

I think that it falls into this category, since if I have mediatomb
running, it exposes its web interface to the public. Its web interface
is listening on port 49152 and if the system where mediatomb is
installed has an external IP, it exposes this web interface to anyone
on the internet, and I think it's a security hole.

So please change it back to critical, or explain why you think it is
not a security hole.

>> File: /usr/bin/mediatomb
>> Tags: security
>>
>> Attempt to force mediatomb to bind to a specific IP address (or interface) is
>> ignored. E.g. I've tried to change setting in /etc/default/mediatomb as
>> follows:
>> OPTIONS="-i 10.0.10.2"
>>
>> and mediatomb is started with the "-i 10.0.10.2" option:
>>
>> $ pgrep -a mediatomb
>> 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g
>> mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2
>>
>> but it binds to all interfaces:
>>
>> $ sudo netstat -anp | grep mediatomb
>> tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN
>> 17000/mediatomb
>> udp        0      0 0.0.0.0:1900            0.0.0.0:*
>> 17000/mediatomb
>> udp        0      0 127.0.0.1:39862         0.0.0.0:*
>> 17000/mediatomb
>>
>> Apparently this has been reported upstream:
>>
>> http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780
>>
>> but this is not fixed. Could the debian team please fix this issue in the
>> debian package, since it is obviously a security issue?
>>
>>
> Is the feature supposed to be supported by mediatomb (and it doesn't
> work) or is it not supported at all?

The feature is supposed to be supported by mediatomb, and it doesn't
work. The option --ip apparently has no effect at all. (And possibly
the same with the --interface oprion).

> Regards,
> --
> Yves-Alexis

Best wishes,
Vladimir

More information about the pkg-multimedia-maintainers mailing list