Bug#405336: vdr ignores svdrphostsconf, listens instead to 0.0.0.0:2001

Tue, 02 Jan 2007 10:40:42 -0800 

This one time, at band camp, Juergen Kosel said:
> Hello,
> 
> after I have installed vdr and started as daemon by the init.d script,
> chkrootkit reports a possible scalper worm infection.
> The chkrootkit script checks for listening of port 2001, which is used by vdr:
> tcp        0      0 0.0.0.0:2001            0.0.0.0:*               LISTEN
> 
> But svdrphosts.conf says:
> #
> # svdrphosts    This file describes a number of host addresses that
> #               are allowed to connect to the SVDRP port of the Video
> #               Disk Recorder (VDR) running on this system.
> # Syntax:
> #
> # IP-Address[/Netmask]
> #
> 
> 127.0.0.1             # always accept localhost
> #192.168.100.0/24     # any host on the local net
> #204.152.189.113      # a specific host
> #0.0.0.0/0            # any host on any net (USE THIS WITH CARE!)
> #192.168.1.0/24
> 
> Maybe the client address is checked, after vdr has accepted the connection.
> (I haven't looked into this.)

This is indeed the logic:

int cSocket::Accept(void)
{
  if (Open()) {
     struct sockaddr_in clientname;
     uint size = sizeof(clientname);
     int newsock = accept(sock, (struct sockaddr *)&clientname, &size);
     if (newsock > 0) {
        bool accepted = SVDRPhosts.Acceptable(clientname.sin_addr.s_addr);
        if (!accepted) {
           const char *s = "Access denied!\n";
           if (write(newsock, s, strlen(s)) < 0)
              LOG_ERROR;
           close(newsock);
           newsock = -1;
           }
        isyslog("connect from %s, port %hu - %s", 
inet_ntoa(clientname.sin_addr), ntohs(clientname.sin_port), accepted ? 
"accepted" : "DENIED");
        }
     else if (errno != EINTR && errno != EAGAIN)
        LOG_ERROR;
     return newsock;
     }
  return -1;
}

I'm not the maintainer, but I suggest downgrading the severity and
removing the security tag from this report as a first step.  If it was
my package, I might suggest closing it (or perhaps redoing it as a
wishlist bug to only bind to some interface or IP address, rather than
all).

Take care,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply via email to