Bug#693301: [Secure-testing-team] Bug#693301: MediaTomb always bind to all interfaces regardless of configuration settings
Vladimir Volovich
vladimir.volovich at gmail.com
Thu Nov 15 18:14:36 UTC 2012
On Thu, Nov 15, 2012 at 5:33 PM, Yves-Alexis Perez <corsac at debian.org> wrote:
> On jeu., 2012-11-15 at 16:48 +0400, Vladimir Volovich wrote:
>> (sorry for the duplicate email - forgot to send a CC to bugs.debian.org)
>>
>> On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <corsac at debian.org> wrote:
>> > Control: severity -1 important
>> >
>> > On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote:
>> >> Package: mediatomb-common
>> >> Version: 0.12.1-4+b1
>> >> Severity: critical
>> >
>> > No need to over-estimate severity.
>>
>> Critical is described as "makes unrelated software on the system (or
>> the whole system) break, or causes serious data loss, or introduces a
>> security hole on systems where you install the package."
>>
>> I think that it falls into this category, since if I have mediatomb
>> running, it exposes its web interface to the public. Its web interface
>> is listening on port 49152 and if the system where mediatomb is
>> installed has an external IP, it exposes this web interface to anyone
>> on the internet, and I think it's a security hole.
>>
>> So please change it back to critical, or explain why you think it is
>> not a security hole.
>
> Well, by itself this is not a security bug, unless the interface itself
> is buggy. I agree it might not be a good idea to expose this to
> everyone, and we usually prefer to not bind on all interfaces when
> possible, but that doesn't make it a security hole.
Well, mediatomb's web interface allows at least browsing the
filesystem and possibly accessing any file readable by the mediatomb
user, which the unsuspecting mediatomb user might not be even aware
of, especially if he naively created the config to bind mediatomb to a
local address (and this setting is plainly ignored)...
>> > Is the feature supposed to be supported by mediatomb (and it doesn't
>> > work) or is it not supported at all?
>>
>> The feature is supposed to be supported by mediatomb, and it doesn't
>> work. The option --ip apparently has no effect at all. (And possibly
>> the same with the --interface oprion).
>>
> Thanks.
> --
> Yves-Alexis
>
More information about the pkg-multimedia-maintainers
mailing list