Bug#693301: [Secure-testing-team] Bug#693301: MediaTomb always bind to all interfaces regardless of configuration settings
Yves-Alexis Perez
corsac at debian.org
Thu Nov 15 13:33:04 UTC 2012
On jeu., 2012-11-15 at 16:48 +0400, Vladimir Volovich wrote:
> (sorry for the duplicate email - forgot to send a CC to bugs.debian.org)
>
> On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <corsac at debian.org> wrote:
> > Control: severity -1 important
> >
> > On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote:
> >> Package: mediatomb-common
> >> Version: 0.12.1-4+b1
> >> Severity: critical
> >
> > No need to over-estimate severity.
>
> Critical is described as "makes unrelated software on the system (or
> the whole system) break, or causes serious data loss, or introduces a
> security hole on systems where you install the package."
>
> I think that it falls into this category, since if I have mediatomb
> running, it exposes its web interface to the public. Its web interface
> is listening on port 49152 and if the system where mediatomb is
> installed has an external IP, it exposes this web interface to anyone
> on the internet, and I think it's a security hole.
>
> So please change it back to critical, or explain why you think it is
> not a security hole.
Well, by itself this is not a security bug, unless the interface itself
is buggy. I agree it might not be a good idea to expose this to
everyone, and we usually prefer to not bind on all interfaces when
possible, but that doesn't make it a security hole.
> > Is the feature supposed to be supported by mediatomb (and it doesn't
> > work) or is it not supported at all?
>
> The feature is supposed to be supported by mediatomb, and it doesn't
> work. The option --ip apparently has no effect at all. (And possibly
> the same with the --interface oprion).
>
Thanks.
--
Yves-Alexis
More information about the pkg-multimedia-maintainers
mailing list