#693301 MediaTomb always bind to all interfaces regardless of configuration settings

#693301#5
Date:
2012-11-15 08:57:34 UTC
From:
To:
Attempt to force mediatomb to bind to a specific IP address (or interface) is
ignored. E.g. I've tried to change setting in /etc/default/mediatomb as
follows:
OPTIONS="-i 10.0.10.2"

and mediatomb is started with the "-i 10.0.10.2" option:

$ pgrep -a mediatomb
17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g
mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2

but it binds to all interfaces:

$ sudo netstat -anp | grep mediatomb
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN
17000/mediatomb
udp        0      0 0.0.0.0:1900            0.0.0.0:*
17000/mediatomb
udp        0      0 127.0.0.1:39862         0.0.0.0:*
17000/mediatomb

Apparently this has been reported upstream:

http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780

but this is not fixed. Could the debian team please fix this issue in the
debian package, since it is obviously a security issue?

#693301#10
Date:
2012-11-15 12:15:05 UTC
From:
To:
Control: severity -1 important

No need to over-estimate severity.
Is the feature supposed to be supported by mediatomb (and it doesn't
work) or is it not supported at all?

Regards,

#693301#17
Date:
2012-11-15 12:48:43 UTC
From:
To:
(sorry for the duplicate email - forgot to send a CC to bugs.debian.org)

Critical is described as "makes unrelated software on the system (or
the whole system) break, or causes serious data loss, or introduces a
security hole on systems where you install the package."

I think that it falls into this category, since if I have mediatomb
running, it exposes its web interface to the public. Its web interface
is listening on port 49152 and if the system where mediatomb is
installed has an external IP, it exposes this web interface to anyone
on the internet, and I think it's a security hole.

So please change it back to critical, or explain why you think it is
not a security hole.

The feature is supposed to be supported by mediatomb, and it doesn't
work. The option --ip apparently has no effect at all. (And possibly
the same with the --interface oprion).

Best wishes,
Vladimir

#693301#22
Date:
2012-11-15 13:33:04 UTC
From:
To:
Well, by itself this is not a security bug, unless the interface itself
is buggy. I agree it might not be a good idea to expose this to
everyone, and we usually prefer to not bind on all interfaces when
possible, but that doesn't make it a security hole.
Thanks.

#693301#27
Date:
2012-11-15 18:14:36 UTC
From:
To:
Well, mediatomb's web interface allows at least browsing the
filesystem and possibly accessing any file readable by the mediatomb
user, which the unsuspecting mediatomb user might not be even aware
of, especially if he naively created the config to bind mediatomb to a
local address (and this setting is plainly ignored)...

#693301#36
Date:
2017-02-24 01:39:21 UTC
From:
To:
Dear Customer,

This is to confirm that your item has been shipped at February 22.

Please check delivery label attached!

Respectfully,
Jordan Kaufman,
UPS Delivery Manager.

#693301#41
Date:
2017-03-26 21:50:08 UTC
From:
To:
Dear Customer,

We can not deliver your parcel arrived at March 24.

You can find more details in this e-mail attachment!

With anticipation,
Gary Ingram,
UPS Delivery Manager.