[Pkg-kde-extras] Bug#763423: there *is* a way to turn it off

[Mark Eichin]

Got email from the upstream author who pointed out (and I just
confirmed) that once you've started, hit *Settings, *Configure
KPhotoAlbum, under the General Tab, Miscellaneous section, you can
uncheck *Listen for Android devices on startup.

I believe that for Debian this should certainly default to unchecked.

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

[Pkg-kde-extras] Bug#763423: there *is* a way to turn it off

[Mark Eichin]

Since this gets written out to ~/.kde/share/config/kphotoalbumrc under
[General] as listenForAndroidDevicesOnStartup=false, it might be
possible for the Debian-specific patch to install something in the
existing global config in /usr/share/kde4/config/kphotoalbumrc though
that uses different stanzas and I don't know what the exact change there
should be (if I did, I'd have supplied a diff :-)

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

[Pkg-kde-extras] Bug#763423: kphotoalbum: Android support is great - but it has *no security*

[Mark Eichin]

Package: kphotoalbum
Version: 4.5-1
Severity: normal

Just got the popup about trying the Android app, which acts as a remote
for the client, and I tried it and it worked... with *no access control*
or even a popup...

lsof confirms that kphotoalbum is just listening on a port:

kphotoalb 29586 eichin   25u  IPv41687321  0t0  UDP *:23455 

https://www.youtube.com/watch?v=TxtD7BG61Ro at +9m10s describes how to
turn it off, and there's a tiny button on the bottom of the screen to
turn it off.

I couldn't find a specific reference in the policy guide asserting that
things like this should be closed-by-default, but it just seems
obvious...

main.cpp has
options.add(nolisten-network, ki18n( Don't start listening for android 
devices on startup. ));

which is backwards - and looking a little bit more (and experimenting)
confirms that it doesn't *stay* off, it doesn't save the user's choice
to the config file.

Probably should be a higher severity than normal but I haven't
explored quite far enough to confirm that there really is no way to
cleanly leave it off.  It's a very nice feature, it's just not in any
way safe to have turned on by default...


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kphotoalbum depends on:
ii  kde-runtime4:4.14.1-1
ii  libc6  2.19-11
ii  libexiv2-130.24-4
ii  libgcc11:4.9.1-15
ii  libjpeg8   8d1-1
ii  libkdcraw234:4.14.0-1
ii  libkdecore54:4.14.1-1
ii  libkdeui5  4:4.14.1-1
ii  libkio54:4.14.1-1
ii  libkipi11  4:4.13.3-1
ii  libphonon4 4:4.8.0-1
ii  libqt4-dbus4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-network 4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-sql 4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-sql-sqlite  4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqt4-xml 4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqtcore4 4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libqtgui4  4:4.8.6+git64-g5dc8b2b+dfsg-2
ii  libstdc++6 4.9.1-15
ii  mplayer2   2.0-728-g2c378c7-2+b2
ii  perl   5.20.1-1
ii  phonon 4:4.8.0-1

Versions of packages kphotoalbum recommends:
pn  khelpcenter4  none
ii  kipi-plugins  4:4.1.0-1+b2
ii  libav-tools   6:11-1

kphotoalbum suggests no packages.

-- no debconf information

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras