Bug #11944
Gobby in Stretch generates UDP:137 broadcasts on the LAN
100%
Description
Note: UDP on port 137 is “NETBIOS Name Service”.
These tests:
cucumber features/tor_stream_isolation.feature:33 # Scenario: Gobby is using the default SocksPort
cucumber features/tor_stream_isolation.feature:52 # Scenario: Explicitly torify-wrapped applications are using the default SocksPort
cucumber features/tor_stream_isolation.feature:59 # Scenario: Explicitly torsocks-wrapped applications are using the default SocksPort
fail with something like this:
Unexpected connections were made:
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=33601, dport=137>
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=37802, dport=137>
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=36172, dport=137>
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=42208, dport=137>
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=46939, dport=137>
#<OpenStruct mac_saddr="50:54:00:34:0d:63", mac_daddr="ff:ff:ff:ff:ff:ff", protocol="udp", saddr="10.2.1.103", daddr="10.2.1.255", sport=54338, dport=137>.
[...]
Subtasks
History
#1 Updated by intrigeri 2017-01-02 18:29:14
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Type of work changed from Research to Code
Jessie has gobby 0.5.0-4, Stretch has 0.5.0-8. I see nothing in its debian/changelog
that could explain this. It’s backend libraries (libinfinity-0.6-0 and libinfgtk3-0.6-0) have only been rebuilt without any source change. libavahi-client3 and libavahi-common3 were upgraded (0.6.31-5 to 0.6.32-1) though. I guess that’s where the change comes from.
This is about https://en.wikipedia.org/wiki/NetBIOS#Name_service, that allows registering and looking up names on a LAN. Best case, it gives a very nice UX for service discovery on the LAN (in this case: connecting to a local Gobby server), which can be super cool for teams working from a single location. Worst case, it leaks things like the hostname on the LAN. We’ve never made any serious attempt at supporting zeroconf and friends, so for now I’m going to explicitly drop datagrams sent to UDP:137 on the LAN. The only practical problem it might cause is making discovery of some network printers harder. Whatever, that’s not worth the risk of announcing our hostname, or worse.
#2 Updated by intrigeri 2017-01-02 19:15:14
- Status changed from In Progress to Resolved
- % Done changed from 10 to 100
Applied in changeset commit:b1099c14bdac572b85f96e474579301aa81061e4.