I have created an ebuild for Darwin Streaming Server v5.0.3.2. According to Secunia <http://secunia.com/advisories/13367/> versions beyond 5.0.3 have fixed the DESCRIBE null byte vulnerability, but we haven't been able to find any other resources confirming this. Also, we have been unable to demonstrate the DESCRIBE null byte vulnerability in previous versions, so we haven't been able to confirm that it has been fixed in newer ones. We would appreciate code which can demonstrate the vulnerability. I am attaching the ebuild, a gentoo patch, and two rc files. I appreciate any feedback. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 52582 [details] Darwin Streaming Server v5.0.3.2 ebuild
Created attachment 52583 [details, diff] Darwin Streaming Server v5.0.3.2 patch used by ebuild
Created attachment 52584 [details] Darwin Streaming Server v5.0.3.2 dss.rc file
Created attachment 52585 [details] Darwin Streaming Server v5.0.3.2 dss-admin.rc file
I just started playing around w/ this ebuild the other day ( good work! I was really glad to see this! ) and everything seems to have gone fine, except for one thing: the permisions on /var/lib/dss/ prevent the creation of new playlists. I had to manually set perms w2 lib # ls -ld dss/ drwxr-xr-x 4 nobody nogroup 96 Apr 6 23:26 dss// w2 lib # ls -l dss/ total 2 drwxr-x--- 5 nobody nogroup 2056 Apr 4 18:42 admin/ drwxr-xr-x 5 nobody nogroup 320 Apr 6 23:31 media/ w2 lib # ls -l dss/media/ total 9949 drwxr-xr-x 2 nobody nogroup 72 Apr 4 18:42 http/ drwxr-x--- 3 nobody nogroup 96 Apr 6 22:50 playlists/ -rw-r--r-- 1 root root 1789985 Apr 4 18:42 sample.mp3 -rw-r--r-- 1 root root 1090897 Apr 4 18:42 sample_100kbit.mov -rw-r--r-- 1 root root 947775 Apr 4 18:42 sample_100kbit.mp4 -rw-r--r-- 1 root root 2990345 Apr 4 18:42 sample_300kbit.mov -rw-r--r-- 1 root root 3344372 Apr 4 18:42 sample_300kbit.mp4 That seems to have worked, though I think the real issue was simply the perms on the playlists dir. The ebuild made /usr/lib/dss and everything under it as user/group owned by root, but the playlist dir - at least - needs to be owned and rwx'able by user 'nobody'. I hope this is useful, thankyou for the ebuild! Beers, Corey
Two questions: What's the purpose of the /usr/lib/media/dss/html/ directory? I have not been able to figure out what that would be used for. How does this ebuild set the user and group that DarwinStreamingServer runs as?
In response to corey: Thank you for pointing out the problem with the playlists dir. It looks like we only have to change the ownership of the one directory so that the admin server can write to it. It is fixed in the updated ebuild. We don't use playlists so I didn't catch this. :) > What's the purpose of the /usr/lib/media/dss/html/ directory? I have not been able to figure out what that would be used for. I'm going to assume you mean the '/var/lib/dss/media/http' directory. From the sample 'streamingserver.xml-sample' file it looks like this directory can be used to allow people to access files via http. > How does this ebuild set the user and group that DarwinStreamingServer runs as? The ebuild doesn't set the user and group that DarwinStreamingServer runs as. The DSS package from Apple doesn't come with a config for DarwinStreamingServer. When it is run for the first time, if DarwinStreamingServer doesn't find a config it creates a default one. The default config doesn't set the user and group so it runs as root. After you've started the server once you can go into the config and set the user and group. Alternatively, you could configure the config manually before starting the server the first time using the sample config provided by the package. Note that the Admin Server is completely separate and has the user and group that it runs as defined in the patch the ebuild applies. Hope this helps.
Created attachment 56001 [details] Darwin Streaming Server v5.0.3.2 ebuild This update to the ebuild fixes permissions on the playlists dir so that the admin server can write to it.
Ok - new bug I think. Again with the streamadminserver web interface. It would be cool if someone else could try and verify - we're trying to go live with this, so it's important to resolve soon as possible. I'm in the midst of debugging, but if I could get verification that this issue isn't just local to my own setup, it would be extremely helpful. So- in summary, it appears that the streamingadminserver won't allow more than a single host to connect... yes, very strange. To verify: #1: login to your dss web admin service. #2: on a _different_ computer, do the same... assuming this bug I seem to be experiencing is valid, then you will not be able to login from a different machine ( even if you log out from the other session ). What happens is it looks like you _almost_ logged in - you can see the menu panel thing to the left, but the login dialog insists on appearing where the main interface should be, and nothing seems to circumvent this. I started poking around into the html/cgi in the /var/lib/dss/admin files and didn't see anything obvious. So then I started diff'ing some of the main files from another server we have which is running DSS 5.0.1.1 - and I think it _might_ have something to do cookie expiration... at least that's my initial, untested/unverified feeling. Finally - I went and actually replaced the streamingadminserver html/cgi files with the older 5.0.1.1 html/cgi from the other existing ( working ) server and restarted dss on the machine running the 5.0.3.2 gentoo ebuild - and the issue ceased to exist: using the 5.0.1.1 streamingadminserver html/cgi in place of this ebuilds 5.0.3.2 version "solved" the bug. Obviously, that's a real hack - I'll continue debugging, hopefully I'll find the problem so we can correct whatever is causing this. Any help of course would be greatly appreciated! Cheers!
>> Comment #9 From corey 2005-04-12 18:01 PST > So- in summary, it appears that the streamingadminserver won't allow more than a single host to connect... yes, very strange. OK, after some serious effort I've been able to diagnose the problem more accurately. The issue is not that the 5.0.3 web admin only allows a single host to connect - but that some/certain web browsers are unable to login. It's kindof hazy exactly which browsers work and which don't - seems a little arbitrary/random. I tested with Firefox 1.0.2, InternetExplorer from Win98, and Konqueror 3.4. Firefox 1.0.2 worked ok. IE failed. Konqueror 3.4 failed on one pc, and succeeced on another... ( go figure ) The bug is definitely valid - I can reproduce it easily, and have done so on two different servers multiple times. I was also able to verify without doubt that using the web admin html/cgi from DSS_v5.0.1.1 succeeded in eradicating the bug. I still believe the bug is due to poor handling of cookies/headers. It's not the ebuild itself that produces/causes this bug - it is strictly due to the web admin cgi that is distributed with the 5.0.3.2 source. Not being satisfied with "downgrading" the web admin console to an earlier version, I went ahead and grabbed the latest code off the cvs, for DSS_v5.5. Replacing the 5.0.3 web admin cgi with 5.5 web admin cgi was successfull, and in fact added a couple nice features to the web admin console. I believe this is the best solution. I will create a patch tomorrow and submit it here. The patch will be approximately 20k, and will modify the following 14 files ( under /var/lib/dss/media/admin/ ): cgi-lib.pl change_broadcast_password.html change_mp3_password.html change_password.html general_settings.html login.html parse_xml.cgi password-utils.pl playlist-lib.pl playlist_detail.html playlists.html relay.html tag_vals.pl top.html
I don't know why this was assigned to me...
removing security@g.o, since there does not seem to be an ebuild for any older version in the tree
>>> Unpacking source... >>> Unpacking DSS-v5_0_3_2.zip to /var/tmp/portage/darwin-streaming-server-5.0.3.2/work * Applying darwin-streaming-server-5.0.3.2-gentoo.patch ... * Failed Patch: darwin-streaming-server-5.0.3.2-gentoo.patch ! * ( /usr/local/overlays/portage/www-servers/darwin-streaming-server/files/darwin-streaming-server-5.0.3.2-gentoo.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/darwin-streaming-server-5.0.3.2/temp/darwin-streaming-server-5.0.3.2-gentoo.patch-20774.out !!! ERROR: www-servers/darwin-streaming-server-5.0.3.2 failed. !!! Function epatch, Line 361, Exitcode 0 !!! Failed Patch: darwin-streaming-server-5.0.3.2-gentoo.patch! !!! If you need support, post the topmost build error, NOT this status message. bugzone files # ls /usr/local/overlays/portage/www-servers/darwin-streaming-server/files/ darwin-streaming-server-5.0.3.2-gentoo.patch dss-admin.rc digest-darwin-streaming-server-5.0.3.2 dss.rc Can someone help me with this error?
1/ The header is invalid. 2/ Fix the DEPEND/RDEPEND. No need to depend on glibc, and you have DEPEND twice in the ebuild. 3/ What's the DISTDIR supposed to do? 4/ If RESTRICT="fetch" is really needed, you need to tell users where they can download the tarball and that they should put it into /usr/portage/distfiles in pkg_nofetch(). 5/ Add some message to the die statement in src_compile(). 6/ ${A}, ${D} etc. should be quoted. 7/ Improve the coding in src_install() so that it does not bloat the ebuild unnecessarily and add || die where needed. http://dev.gentoo.org/~plasmaroo/devmanual/ http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=1 http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=3 Please, fix the above problem and reopen then.
I got an error looking for a virtual/glibc. I changed that in the ebuild to state: DEPEND="virtual/libc" then I re-did # ebuild darwin-streaming-server-5.0.3.2.ebuild digest ran emerge and it worked.
Created attachment 75497 [details] new ebuild for 5.5.1 version
Created attachment 75498 [details, diff] new patch file for ebuild 5.5.1 ver.
Hello All, I've made new patch file for ebuild 5.5.1 ver. (see the attached "new ebuild for 5.5.1 version" and "new patch file for ebuild 5.5.1 ver." files) DSS installs fine using old dss-admin.rc, dss.rc and new darwin-streaming-server-5.5.1.1.ebuild and darwin-streaming-server-5.5.1.1-gentoo.patch files. Just make sure to download http://www.opensource.apple.com/projects/streaming/release/DarwinStreamingSrvr5.5-Source.tar and put into your /usr/portage/distfiles Regards, Leon
I have some problem installing with new ebuild ACCEPT_KEYWORDS="~amd64" emerge -pv darwin-streaming-server These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild N F ] media-video/darwin-streaming-server-5.5.1.1 +ssl 0 kB [1] Total size of downloads: 0 kB Portage overlays: [1] /usr/local/portage ACCEPT_KEYWORDS="~amd64" emerge -pv darwin-streaming-server-5.5.1.1 These are the packages that I would merge, in order: Calculating dependencies !!! 'darwin-streaming-server-5.5' is not a valid package atom. !!! Please check ebuild(5) for full details. !!! (Did you specify a version but forget to prefix with '='?) or ACCEPT_KEYWORDS="~amd64" emerge darwin-streaming-server Calculating dependencies ...done! >>> emerge (1 of 1) media-video/darwin-streaming-server-5.5.1.1 to / !!! No package manifest found: /usr/local/portage/media-video/darwin-streaming-server/Manifest
Created attachment 83949 [details] compile errors for stream darwin server My emerge --info Portage 2.0.54 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.5-r2, 2.6.16-gentoo-r1 x86_64) ================================================================= System uname: 2.6.16-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ Gentoo Base System version 1.6.14 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -fomit-frame-pointer -msse3 -ffast-math" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=k8 -O2 -pipe -fomit-frame-pointer -msse3 -ffast-math" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.ecc.u-tokyo.ac.jp/GENTOO http://gentoo.gg3.net/ ftp://gg3.net/pub/linux/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 acpi apache2 bzip2 cli crypt ctype dba dbx dri expat fam fastbuild force-cgi-redirect fortran ftp gd glibc-omitfp gmp idn isdnlog ithreads lm_sensors logrotate memlimit mhash mysql mysqli ncurses nls nptl nptlonly pam pcre perl php posix pppd python readline samba session sharedext simplexml snmp soap sockets spl sqlite ssl symlink tcpd threads tokenizer udev unicode userlocales verbose xinetd xml xml2 xmlrpc xsl zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Reopen to dupe...
*** This bug has been marked as a duplicate of 109167 ***
Created attachment 83963 [details] media-video/darwin-streaming-server-5.5.1.ebuild DSS 5.5.1 ebuild with corrections requested above.
Created attachment 83964 [details] rss-admin.rc DSS remote streaming server admin initscript
Created attachment 83967 [details] rss.rc Darwin streaming server initscript
Created attachment 83968 [details, diff] darwin-streaming-server-5.5.1-gentoo.patch patch to change hardcoded DSS configuration paths to more sensible locations
'k, lets do it the other way round...
*** Bug 109167 has been marked as a duplicate of this bug. ***
Hello! Should I manually move rss*.rc's into /etc/init.d? Is there a reason why the ebuild doesn't do it? ( and why are they called rss rather than dss? and why the .rc extension? ) ( I'm not complaining, just wondering ) THanks!
is this going into portage?
the Test phase stops with some errors on a AMD64 box... >> Source compiled. >>> Test phase [not enabled]: media-video/darwin-streaming-server-5.5.1 >>> Install darwin-streaming-server-5.5.1 into /var/tmp/portage/darwin-streaming-server-5.5.1/image/ category media-video !!! dosbin: DarwinStreamingServer does not exist !!! dobin: PlaylistBroadcaster.tproj/PlaylistBroadcaster does not exist !!! dobin: MP3Broadcaster/MP3Broadcaster does not exist !!! dobin: qtpasswd.tproj/qtpasswd does not exist !!! dobin: StreamingProxy.tproj/StreamingProxy does not exist !!! ERROR: media-video/darwin-streaming-server-5.5.1 failed. Call stack: ebuild.sh, line 1539: Called dyn_install ebuild.sh, line 1013: Called src_install darwin-streaming-server-5.5.1.ebuild, line 59: Called die !!! failure! !!! If you need support, post the topmost build error, and the call stack if relevant. !!! This ebuild is from an overlay: '/usr/local/portage' -------------------------- Any ideas ? -------------------------- 2wd darwin-streaming-server # emerge --info Portage 2.1-r1 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14.2 x86_64) ================================================================= System uname: 2.6.14.2 x86_64 AMD Athlon(tm) 64 Processor 3400+ Gentoo Base System version 1.6.13 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1 sys-devel/gcc-config: 1.3.12-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -pipe -O2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-march=k8 -pipe -O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 alsa apache2 avi bash-completion berkdb bitmap-fonts clearpasswd cli crypt dlloader dri eds emboss encode foomaticdb fortran gd gd-external gif gnome gpm gstreamer gtk gtk2 imap imlib isdnlog jpeg kde lzw lzw-tiff maildir mp3 mpeg mysql ncurses nls notlsbeforeauth opengl pam pcre pdflib perl perlsuid png pppd python qmail qt qt3 qt4 quicktime readline reflection sdl session spamassassin spell spl ssl tcpd tiff truetype truetype-fonts type1-fonts usb vhosts xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 122961 [details] darwin-streaming-server 5.5.5 Hi folks, I've packed up the latest DSS 5.5.5 and included a patch to compile on amd64/x86_64 using gcc-4.1.1 (at least for me) Have fun, Stephan
Hm, sorry but found out later that se server segfaults on amd64 (and someone mentioned some problems on ppc64)… Anyway no problems on x86
Created attachment 125019 [details] tweaked ebuild for use with ppc64 w/ 32bit userland
Created attachment 125021 [details, diff] patch to build scripts that convinces ppc64 to build as i686
Created attachment 155645 [details] Ebuilds for darwin-streaming-server-6.0.3 and darwing-streaming-server-bin-5.5.5
I tried the darwin-streaming-server-6.0.3 ebuild on amd64. It installs fine, but when i go the http://localhost:1220, it doesnt accept the qtss user i created. The pages simply reloads. In /var/log/dss/Error.log i have: 2008-08-18 20:45:04: WARNING: No users file found at /etc/dss/qtusers. 2008-08-18 20:45:04: WARNING: No groups file found at /etc/dss/qtgroups. However i do have these: #cat /etc/dss/qtgroups admin:qtss # cat /etc/dss/qtusers realm Streaming Server qtss:f9K6uAQOp1GCg:87b2bcb6e28770b33b5cf58c5bcb5c5c
(In reply to comment #38) Check to make sure that the user running dss/dss-admin has permissions to read those files.
Great Ebuilds! Thanks! I do have some questions however regarding permissions. As noted earlier by default the qtusers and qtgroups file are not accessible by the process (I have started the server with the provided init script). Also for initial configuration I tried starting the web GUI manually as root (as I was somehow missing the dss-admin init script). I tried setting a broadcast user and was presented with a success message but the user files in question remained unchanged. I suppose the qtpasswd application is executed with insufficient privileges as well in this case. I ended up configuring the server manually. Which has worked fine. As I use this install for testing only I had no headaches setting world read flags on those files. (Note to myself: qtpasswd usage will reset the permissions to the original flags) Probably related to this issues is also that the process has no write permissions to the default movie directory. The server is required to write .sdp files upon a RTSP ANNOUNCE request from clients to the specified location. Again as I use this for testing only I changed the movie folder to /tmp. I think the process owner is 'nobody'. Are there any additional steps that are recommended to perform to resolve this issue in a decent manner? Or are users meant to fix these issues themselves? If the user is meant to create a new user for running the service we should mention such in the ebuild and perhaps provide instruction for the required steps.
(In reply to comment #40) > I think the process owner is 'nobody'. Are there any additional steps that are > recommended to perform to resolve this issue in a decent manner? Or are users > meant to fix these issues themselves? If the user is meant to create a new user > for running the service we should mention such in the ebuild and perhaps > provide instruction for the required steps. The admin webgui isn't working. Also the init.d script for the admin-pl is missing. I installed the init.d script from the bin release. This started the webgui, but the gui can't access and write anything. Any troubleshooting here?
It's been 3 years, can we please get the few moments of time necessary for a proxy maintainer to check this stuff out and get it into ~x86 at least?
(this is an automated message based on filtering criteria that matched this bug) 'EBUILD' is in the KEYWORDS which should mean that there is a ebuild attached to this bug. This bug is assigned to maintainer-wanted which means that it is not in the main tree. Hello, The Gentoo Team would like to firstly thank you for your ebuild submission. We also apologize for not being able to accommodate you in a timely manner. There are simply too many new packages. Allow me to use this opportunity to introduce you to Gentoo Sunrise. The sunrise overlay[1] is a overlay for Gentoo which we allow trusted users to commit to and all users can have ebuilds reviewed by Gentoo devs for entry into the overlay. So, the sunrise team is suggesting that you look into this and submit your ebuild to the overlay where even *you* can commit to. =) Because this is a mass message, we are also asking you to be patient with us. We anticipate a large number of requests in a short time. Thanks, On behalf of the Gentoo Sunrise Team, Jeremy. [1]: http://www.gentoo.org/proj/en/sunrise/ [2]: http://overlays.gentoo.org/proj/sunrise/wiki/SunriseFaq
