[Secure-testing-team] Bug#635297: mt-daapd: Firefly starts up with a default admin password

Mirsal Ennaime mirsal at mirsal.fr
Sun Jul 24 19:54:31 UTC 2011 

Package: mt-daapd
Version: 0.9~r1696.dfsg-16
Severity: critical
Tags: security

The /etc/mt-daapd.conf configuration file shipped with the
mt-daapd package contains a well-known default admin password
and the service starts up automatically after installation,
thus allowing potentially unwanted access until the password is
manually updated.

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mt-daapd depends on:
ii  adduser                   3.113          add and remove users and groups
ii  avahi-daemon              0.6.30-5       Avahi mDNS/DNS-SD daemon
ii  libavahi-client3          0.6.30-5       Avahi client library
ii  libavahi-common3          0.6.30-5       Avahi common library
ii  libavcodec52              5:0.7.1-0.0    library to encode decode multimedi
ii  libavformat52             5:0.7.1-0.0    ffmpeg file format library
ii  libavutil49               4:0.5.2-6      ffmpeg utility library
ii  libc6                     2.13-10        Embedded GNU C Library: Shared lib
ii  libflac8                  1.2.1-4        Free Lossless Audio Codec - runtim
ii  libid3tag0                0.15.1b-10     ID3 tag reading library from the M
ii  libjs-prototype           1.7.0-2        JavaScript Framework for dynamic w
ii  libjs-scriptaculous       1.9.0-2        JavaScript library for dynamic web
ii  libogg0                   1.2.2~dfsg-1   Ogg bitstream library
ii  libsqlite3-0              3.7.7-2        SQLite 3 shared library
ii  libtagc0                  1.7-1          audio meta-data library - C bindin
ii  libvorbis0a               1.3.2-1        The Vorbis General Audio Compressi
ii  libvorbisfile3            1.3.2-1        The Vorbis General Audio Compressi
ii  zlib1g                    1:1.2.5.dfsg-1 compression library - runtime

mt-daapd recommends no packages.

mt-daapd suggests no packages.

-- Configuration Files:
/etc/mt-daapd.conf [Errno 13] Permission denied: u'/etc/mt-daapd.conf'

-- no debconf information

More information about the Secure-testing-team mailing list