Hi! I'm making sure that this message is read by security team as well, since Yves-Alexis reduces the Severity level, and I think it is not right. Please see the explanation of why I think there is a security hole below.
---------- Forwarded message ---------- From: Vladimir Volovich <[email protected]> Date: Thu, Nov 15, 2012 at 4:46 PM Subject: Re: [Secure-testing-team] Bug#693301: MediaTomb always bind to all interfaces regardless of configuration settings To: Yves-Alexis Perez <[email protected]> On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <[email protected]> wrote: > > Control: severity -1 important > > On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote: > > Package: mediatomb-common > > Version: 0.12.1-4+b1 > > Severity: critical > > No need to over-estimate severity. Critical is described as "makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package." I think that it falls into this category, since if I have mediatomb running, it exposes its web interface to the public. Its web interface is listening on port 49152 and if the system where mediatomb is installed has an external IP, it exposes this web interface to anyone on the internet, and I think it's a security hole. So please change it back to critical, or explain why you think it is not a security hole. > > File: /usr/bin/mediatomb > > Tags: security > > > > Attempt to force mediatomb to bind to a specific IP address (or > > interface) is > > ignored. E.g. I've tried to change setting in /etc/default/mediatomb as > > follows: > > OPTIONS="-i 10.0.10.2" > > > > and mediatomb is started with the "-i 10.0.10.2" option: > > > > $ pgrep -a mediatomb > > 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g > > mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i > > 10.0.10.2 > > > > but it binds to all interfaces: > > > > $ sudo netstat -anp | grep mediatomb > > tcp 0 0 0.0.0.0:49152 0.0.0.0:* > > LISTEN > > 17000/mediatomb > > udp 0 0 0.0.0.0:1900 0.0.0.0:* > > 17000/mediatomb > > udp 0 0 127.0.0.1:39862 0.0.0.0:* > > 17000/mediatomb > > > > Apparently this has been reported upstream: > > > > > > http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780 > > > > but this is not fixed. Could the debian team please fix this issue in > > the > > debian package, since it is obviously a security issue? > > > > > Is the feature supposed to be supported by mediatomb (and it doesn't > work) or is it not supported at all? The feature is supposed to be supported by mediatomb, and it doesn't work. The option --ip apparently has no effect at all. (And possibly the same with the --interface oprion). > > Regards, > -- > Yves-Alexis > Best wishes, Vladimir _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
