On 21/12/11 23:43, Daniel Svensson wrote: > On Wed, Dec 21, 2011 at 11:18 PM, Daniel Svensson <dsvens...@gmail.com> wrote: >> On Wed, Dec 21, 2011 at 8:55 PM, Daniel Pocock <dan...@pocock.com.au> wrote: >>> Package: xmms2-core >>> Version: 0.7DrNo+dfsg-2 >>> Severity: grave >>> >>> I've chosen the severity `grave' as it is suggested for issues that >>> could "introduce a security hole allowing access to the accounts of >>> users who use the package" >>> http://www.debian.org/Bugs/Developer#severities >>> >>> Details: >>> >>> - in the default configuration, xmms2d is secured using UNIX domain >>> sockets, this is reasonably secure >>> >>> - however, users may be tempted to enable TCP mode, which has no >>> security at all >> >> Maybe you could add an apt question if the user is a licensed computer >> driver? >> >> http://en.wikipedia.org/wiki/European_Computer_Driving_Licence > > A more serious reply... patches accepted for the man page. It would be > totally ok if you want to warn that if you open a socket that has no > authorization what so ever, any person can connect to it and do the > same thing as you can do. >
I'm sure it's obvious to most people that the socket allows them to start and stop things in their playlist However, it is not so obvious that the socket allows people to browse the server filesystems - even some more advanced users may find that surprising It's also necessary to think about it in the context of the application: if a debugger or other tool opens a port, you can expect the end user to be fairly knowledgeable about the consequences. For a media player application, there is likely to be a much broader user base with varying levels of knowledge. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
