This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=883790,906044
If at all possible, this should be made to use the system libupnp library so that future vulnerabilities in libupnp do not require a rebuild of this package.
mediatomb-0.12.1-23.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mediatomb-0.12.1-23.fc17
mediatomb-0.12.1-16.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/mediatomb-0.12.1-16.fc16
mediatomb-0.12.1-23.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/mediatomb-0.12.1-23.fc18
Package mediatomb-0.12.1-23.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mediatomb-0.12.1-23.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2352/mediatomb-0.12.1-23.fc17 then log in and leave karma (feedback).
mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This update appears to have introduced two bugs, both related to the unbundling of mediatomb's UPnP library. The first is that mediatomb no longer respects the port setting in its config file and appears to be caused by this part of the unbundle patch: diff -r -U3 mediatomb-0.12.1.orig/src/server.cc mediatomb-0.12.1/src/server.cc --- mediatomb-0.12.1.orig/src/server.cc 2010-03-25 09:58:11.000000000 -0500 +++ mediatomb-0.12.1/src/server.cc 2013-02-12 12:01:08.955475877 -0600 @@ -166,7 +166,7 @@ if (storage->threadCleanupRequired()) cb = (void *)static_cleanup_callback; - ret = UpnpInit(ip.c_str(), port, 0, cb); + ret = UpnpInit(ip.c_str(), 0); if (ret != UPNP_E_SUCCESS) { I believe the replaced line should be: + ret = UpnpInit(ip.c_str(), (unsigned short) port); The second bug is that streaming to the PlayStation 3 is now broken. It is possible to browse the file hierarchy, but when trying to play of file, the PS3 fails to play the file with the following error message: "Media Server Error: A network error has occurred. (00000193)"
Try the build that just finished in rawhide from koji, it incorporates your patch change. Do you get any log or console errors when you attempt PS3 streaming? http://koji.fedoraproject.org/koji/buildinfo?buildID=397635
That build does fix the port problem. As for the PlayStation 3 problem, there appears to be no output indicating an error state. The mediatomb log contains nothing but the startup messages about binding to an IP address and port. However, I have found that when I try to visit the web interface in a web browser, I am prompted for a username and password despite not having configured mediatomb to perform authentication. Even when trying the username and password in the config file (/etc/mediatomb/config.xml), I cannot get past the username and password page. Looking through MediaTomb's UPnP fork...I guess it's a fork of libupnp, it appears they added some sort of basic HTTP server which I'm guessing is required for PS3 support. So removing the bundled UPnP library may have to be done upstream. For now, I'm working around the issue by rebuilding the RPM myself without the unbundling patch.
Turns out that the version mediatomb bundles isn't affected, requested update from upstream and bundling exception from FPC.
(In reply to comment #12) > Turns out that the version mediatomb bundles isn't affected, requested > update from upstream and bundling exception from FPC. What does this mean? That you want to continue using the embedded libupnp rather than the system one? It might not be vulnerable to this flaw, but can you make the same guarantee about future flaws? I think using the system libupnp is the right thing to do.
I agree, but upstream has rejected my request to use modern libupnp. They've also been patching their own version in their git repo for security fixed. https://fedorahosted.org/fpc/ticket/268 https://sourceforge.net/tracker/?func=detail&aid=3608473&group_id=129766&atid=715780
Oh. So they'v essentially forked it for their own exclusive use. Ok, the exception request makes more sense now (it's a nuisance, but if they've been patching it for themselves and it's no longer a reflection of upstream libupnp, then I suppose there's not too much we can do if they're not interested in using a newer/upstream version). Thanks for checking, Jon. This is unfortunate, but it makes sense.
I agree with A. I think B. is generous. :) But it is what it is.
Indeed. =) Thanks again.