Package: mediatomb
Version: 0.12.0~svn2018-6
Severity: grave
Tags: security
Justification: user security hole

This bug was reported to Ubuntu via Launchpad:

>From the upstream documentation:

"The server has an integrated filesystem browser, that means that anyone
who has access to the UI can browse your filesystem (with user
permissions under which the server is running) and also download your
data! If you want maximum security - disable the UI completely! Account
authentication offers simple protection that might hold back your kids,
but it is not secure enough for use in an untrusted environment! Note:
since the server is meant to be used in a home LAN environment the UI is
enabled by default and accounts are deactivated, thus allowing anyone on
your network to connect to the user interface."

Unfortunately, the Debian/Ubuntu packaging preserves these installation
defaults, which IMHO is incorrect behavior for a distribution. A few
ways to solve this are:
 * the web UI should be disabled on new installs
 * a debconf question should prompt the user to enable the web UI, but
   default to 'no'
 * enable the web UI, but create an account for connecting to it

Upstream doesn't seem confident in mediatomb's handling of
authentication, so it would probably makes sense to not rely on it and
simply disable the feature, documenting how to enable it and the
pitfalls of enabling it in README.Debian.

-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

pkg-multimedia-maintainers mailing list

Reply via email to