- Package:
- src:gerbera
- Source:
- gerbera
- Submitter:
- Vladimir Volovich
- Date:
- 2017-11-21 15:24:05 UTC
- Severity:
- important
Attempt to force mediatomb to bind to a specific IP address (or interface) is ignored. E.g. I've tried to change setting in /etc/default/mediatomb as follows: OPTIONS="-i 10.0.10.2" and mediatomb is started with the "-i 10.0.10.2" option: $ pgrep -a mediatomb 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2 but it binds to all interfaces: $ sudo netstat -anp | grep mediatomb tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 17000/mediatomb udp 0 0 0.0.0.0:1900 0.0.0.0:* 17000/mediatomb udp 0 0 127.0.0.1:39862 0.0.0.0:* 17000/mediatomb Apparently this has been reported upstream: http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780 but this is not fixed. Could the debian team please fix this issue in the debian package, since it is obviously a security issue?
Control: severity -1 important No need to over-estimate severity. Is the feature supposed to be supported by mediatomb (and it doesn't work) or is it not supported at all? Regards,
(sorry for the duplicate email - forgot to send a CC to bugs.debian.org) Critical is described as "makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package." I think that it falls into this category, since if I have mediatomb running, it exposes its web interface to the public. Its web interface is listening on port 49152 and if the system where mediatomb is installed has an external IP, it exposes this web interface to anyone on the internet, and I think it's a security hole. So please change it back to critical, or explain why you think it is not a security hole. The feature is supposed to be supported by mediatomb, and it doesn't work. The option --ip apparently has no effect at all. (And possibly the same with the --interface oprion). Best wishes, Vladimir
Well, by itself this is not a security bug, unless the interface itself is buggy. I agree it might not be a good idea to expose this to everyone, and we usually prefer to not bind on all interfaces when possible, but that doesn't make it a security hole. Thanks.
Well, mediatomb's web interface allows at least browsing the filesystem and possibly accessing any file readable by the mediatomb user, which the unsuspecting mediatomb user might not be even aware of, especially if he naively created the config to bind mediatomb to a local address (and this setting is plainly ignored)...
Dear Customer, This is to confirm that your item has been shipped at February 22. Please check delivery label attached! Respectfully, Jordan Kaufman, UPS Delivery Manager.
Dear Customer, We can not deliver your parcel arrived at March 24. You can find more details in this e-mail attachment! With anticipation, Gary Ingram, UPS Delivery Manager.