Send Motion-user mailing list submissions to
motion-user@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/motion-user
or, via email, send a message with subject or body 'help' to
motion-user-requ...@lists.sourceforge.net
You can reach the person managing the list at
motion-user-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Motion-user digest..."
Today's Topics:
1. Re: motion security patch release 3.4.2 (tosiara)
2. Re: Negative impact on wifi connectivity (Damian)
3. Re: motion security patch release 3.4.2 (tosiara)
----------------------------------------------------------------------
Message: 1
Date: Mon, 26 Oct 2020 20:29:03 +0200
From: tosiara <tosi...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<CACHTdwQSd8SVPFtekNNco2iX7F=6xgjv3+ey4ppwyiwpmae...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Yeah, sorry, typo. 4.3.2
I think, CVE will be published as soon as everyone has enough time to
update. At least I'm not the owner of that CVE item
On Mon, Oct 26, 2020, 20:14 Jack Christensen <christensen.jac...@gmail.com>
wrote:
> Hi,
>
> Should the version number below and also on the subject line be 4.3.2?
>
> Is the CVE available to read? I cannot find it.
>
> Thanks ... jc
> On 10/26/20 6:33 AM, tosiara wrote:
>
> The default config restricts stream and webcontrol ports to localhost, so
> it is a partial mitigation that comes out of the box. In that case a remote
> attacker would need to use additional techniques to perform a request to
> localhost, but it is still possible (ex, CSRF). The only full mitigations
> are either patch to *3.4.2*, or completely disable ports
>
> On Mon, Oct 26, 2020 at 12:21 PM chuck elliot <c.ell...@pobox.com> wrote:
>
>> Presumably limiting web and stream control to localhost would mean
>>
>> and attacker would need host access to mount this attack so would
>>
>> be a partial mitigation? Perhaps a web/stream-control ACL might be
>>
>> added in future?
>>
>> Regards,
>>
>> CE.
>>
>>
>> On 26/10/2020 9:52 am, tosiara wrote:
>>
>> Hi,
>>
>> Please be aware that there is an update published on Github that resolves
>> a medium severity denial of service vulnerability that has been recently
>> found in motion. The motion process would crash and require a manual after
>> receiving a specially crafted http request.
>>
>> The patch has been applied to both master branch and 4.3 release branch.
>> Deb packages built and also published in Github releases. SHA256 sums are
>> signed with tosiara's github gpg key.
>>
>> CVE: CVE-2020-26566
>> Github security advisory: GHSA-6f7x-grw7-fw24
>>
>> Mitigation: if you are not able to update yet, the only mitigation is to
>> disable stream and webcontrol ports by setting them to 0 in your
>> motion.conf. Note that the issue occurs prior to authentication, so setting
>> a password on the stream and the webcontrol would not help.
>>
>> Let me know if you have any notes or questions.
>>
>>
>> _______________________________________________
>> Motion-user mailing
>> listMotion-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/motion-userhttps://motion-project.github.io/
>>
>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>>
>> _______________________________________________
>> Motion-user mailing list
>> Motion-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/motion-user
>> https://motion-project.github.io/
>>
>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
>
>
> _______________________________________________
> Motion-user mailing
> listMotion-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/motion-userhttps://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Mon, 26 Oct 2020 22:36:07 +0100
From: Damian <motion-u...@arcsin.de>
To: motion-user@lists.sourceforge.net
Subject: Re: [Motion-user] Negative impact on wifi connectivity
Message-ID: <c6c75a8f-196d-386a-017a-0aad368ee...@arcsin.de>
Content-Type: text/plain; charset=utf-8; format=flowed
>> The next path would be to use the v4l2 via netcam option.? This option
>> invokes invokes an entirely different method to open the
>> device by using the ffmpeg libraries.
>
> I have to test this some other time. Right now the reception is too good.
> Must be open doors or something. However I can say that
> the cpu load is much higher with v4l2 via netcam_url. On the Zero W the
> single core is at 100% all the time and the load average
> is around 2. There seems to be an additional thread compared to a native v4l
> setup.
Reception got bad again so I was able test and compare. v4l2 via netcam_url
does not help, unfortunately.
However I now know that the issue actually is about VIDIOC_STREAMON being
active continuously. My primary use case is
"snapshot_interval 5", so I tried the following based on Debian buster
(release-4.1.1):
> diff --git a/video_v4l2.c b/video_v4l2.c
> index 5be8d6e..4dcab92 100644
> --- a/video_v4l2.c
> +++ b/video_v4l2.c
> @@ -882,0 +883,9 @@ static int v4l2_capture(struct context *cnt, struct
> video_dev *viddev, unsigned
> +
> + enum v4l2_buf_type type;
> + type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
> + if (xioctl(vid_source, VIDIOC_STREAMON, &type) == -1) {
> + MOTION_LOG(ERR, TYPE_VIDEO, SHOW_ERRNO
> + ,"Error re-starting stream. VIDIOC_STREAMON");
> + return -1;
> + }
> +
> @@ -924,0 +934,3 @@ static int v4l2_capture(struct context *cnt, struct
> video_dev *viddev, unsigned
> + type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
> + xioctl(vid_source, VIDIOC_STREAMOFF, &type);
> +
This yields a more stable wifi network while providing the same image quality
(i.e. better than fswebcam). I think it also reduced
the cpu load. The "Tx excessive retries" counter goes up slowly, probably
counting the packets that should have been transmitted
during STREAMON and STREAMOFF. Motion still has an impact on the smoothness of
the ssh session which I could probably improve more
by setting a higher snapshot_interval.
------------------------------
Message: 3
Date: Tue, 27 Oct 2020 14:59:08 +0200
From: tosiara <tosi...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<CACHTdwTvpsjrYxO_6mcZevaD=jgco5epofugreynlsoxeen...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I have made a few more checks and can confirm that the issue also exists in
3.2.12 version (the minimum available in Debian Jessie). However, as MrDave
pointed, only webcontrol is affected in versions prior to 4.2.
Additionally, authentication is a mitigation if enabled.
Github security advisory updated with this info.
On Mon, Oct 26, 2020 at 8:29 PM tosiara <tosi...@gmail.com> wrote:
> Yeah, sorry, typo. 4.3.2
>
> I think, CVE will be published as soon as everyone has enough time to
> update. At least I'm not the owner of that CVE item
>
> On Mon, Oct 26, 2020, 20:14 Jack Christensen <christensen.jac...@gmail.com>
> wrote:
>
>> Hi,
>>
>> Should the version number below and also on the subject line be 4.3.2?
>>
>> Is the CVE available to read? I cannot find it.
>>
>> Thanks ... jc
>> On 10/26/20 6:33 AM, tosiara wrote:
>>
>> The default config restricts stream and webcontrol ports to localhost, so
>> it is a partial mitigation that comes out of the box. In that case a remote
>> attacker would need to use additional techniques to perform a request to
>> localhost, but it is still possible (ex, CSRF). The only full mitigations
>> are either patch to *3.4.2*, or completely disable ports
>>
>> On Mon, Oct 26, 2020 at 12:21 PM chuck elliot <c.ell...@pobox.com> wrote:
>>
>>> Presumably limiting web and stream control to localhost would mean
>>>
>>> and attacker would need host access to mount this attack so would
>>>
>>> be a partial mitigation? Perhaps a web/stream-control ACL might be
>>>
>>> added in future?
>>>
>>> Regards,
>>>
>>> CE.
>>>
>>>
>>> On 26/10/2020 9:52 am, tosiara wrote:
>>>
>>> Hi,
>>>
>>> Please be aware that there is an update published on Github that
>>> resolves a medium severity denial of service vulnerability that has been
>>> recently found in motion. The motion process would crash and require a
>>> manual after receiving a specially crafted http request.
>>>
>>> The patch has been applied to both master branch and 4.3 release branch.
>>> Deb packages built and also published in Github releases. SHA256 sums are
>>> signed with tosiara's github gpg key.
>>>
>>> CVE: CVE-2020-26566
>>> Github security advisory: GHSA-6f7x-grw7-fw24
>>>
>>> Mitigation: if you are not able to update yet, the only mitigation is to
>>> disable stream and webcontrol ports by setting them to 0 in your
>>> motion.conf. Note that the issue occurs prior to authentication, so setting
>>> a password on the stream and the webcontrol would not help.
>>>
>>> Let me know if you have any notes or questions.
>>>
>>>
>>> _______________________________________________
>>> Motion-user mailing
>>> listMotion-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/motion-userhttps://motion-project.github.io/
>>>
>>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>>>
>>> _______________________________________________
>>> Motion-user mailing list
>>> Motion-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/motion-user
>>> https://motion-project.github.io/
>>>
>>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>>
>>
>>
>> _______________________________________________
>> Motion-user mailing
>> listMotion-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/motion-userhttps://motion-project.github.io/
>>
>> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------
Subject: Digest Footer
_______________________________________________
Motion-user mailing list
Motion-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/motion-user
------------------------------
End of Motion-user Digest, Vol 172, Issue 20
********************************************
