Bug 79847 - Impress listens to the world by default
Summary: Impress listens to the world by default
Status: RESOLVED FIXED
Alias: None
Product: Impress Remote
Classification: Unclassified
Component: General (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-09 18:21 UTC by Rene Engelhard
Modified: 2015-02-13 19:17 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rene Engelhard 2014-06-09 18:21:57 UTC 
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749770:

--- snip ---
Package: libreoffice-impress
Version: 1:4.2.4-3
Severity: normal
Tags: upstream

Hello,

the Impress Remote (see e.g.
https://f-droid.org/repository/browse/?fdid=org.libreoffice.impressremote) is
enabled by default, making LibreOffice listen to the world. Additionaly, this
feature is difficult to turn off (Impress must be started to get into Options,
meaning you can't disable socket binding without actually binding)

How to reproduce:

 1. Start Impress
 2. Observe 'netstat -tulpn | grep office' or telnet localhost 1599

tcp        0      0 0.0.0.0:1599            0.0.0.0:*               LISTEN
6513/soffice.bin
udp        0      0 0.0.0.0:1598            0.0.0.0:*
6513/soffice.bin


How to turn off:

 1. Start Impress. This unfortunately enables the listening immediately.
 2. Tools -> Options -> Impress -> General -> [ ] Enable remote control

I think (at least desktop) applications shouldn't accept connections from the
internet by default.
--- snip ---

While it actually is easily disabeable (although it definitely listens until
you do so), I *do* think he has a point. It shouldn't listen per default.

Maybe we should get a config/UI option for avahi?
Comment 1 Rene Engelhard 2014-06-09 18:40:39 UTC 
fwiw, this happens when you enable avahi (--enable-avahi):

rene@frodo:~/LibreOffice/master/core/sd/source/ui/remotecontrol$ grep -r 159 *
AvahiNetworkService.cxx:            avahiService->getName().c_str(), kREG_TYPE, NULL, NULL, 1599, "local", r, NULL
AvahiNetworkService.hxx:        AvahiNetworkService(const std::string& aname = "", unsigned int aport = 1599)
mDNSResponder/DebugServices.c:        CaseErrorStringifyHardCode( -103159, kXMLBadDataErr );
OSXNetworkService.hxx:        OSXNetworkService(const std::string& aname = "", unsigned int aport = 1599)
OSXNetworkService.mm:    netService = [[NSNetService alloc] initWithDomain:@"local" type:@"_impressremote._tcp" name:sName port:1599];
WINNetworkService.cxx:    DNSServiceErrorType err = DNSServiceRegister(&client, 0, 0, NULL, kREG_TYPE, "local", NULL, 1599, 1, "", NULL, this );
WINNetworkService.hxx:        WINNetworkService(const std::string& aname = "", unsigned int aport = 1599)
ZeroconfService.hxx:#define PORT_DISCOVERY 1598
Comment 2 Jean-Baptiste Faure 2014-08-06 07:12:44 UTC 
Indeed. 
I think Impress should ask the permission to enable remote control when the user launches a slideshow.
I am not so far to consider that as a security issue.

Best regards. JBF
Comment 3 Rene Engelhard 2014-10-07 11:53:53 UTC 
That said, it doesn't seem to be avahi related at all, even in TCP mode it does t hat afaics with my 4.3.2-1 which has avahi disabled
Comment 5 Robinson Tryon (qubit) 2015-02-13 19:17:32 UTC 
Moving bug to (new) 'Impress Remote' product.