Is minissdpd known to have been auditted for security, at a similar level to avahi-daemon?

Question

Ubuntu have or had an effort, sometimes described as No Open Ports for the default install.

Exemptions are made for the DHCP client (otherwise you break networking for everyone), and for Avahi. Of the officially published reasons for Avahi, the most "compelling" one is the last: "[discover] a ZeroConf printer". To maintain a high level of security, Ubuntu performed an audit of Avahi first. https://wiki.ubuntu.com/ZeroConfPolicySpec

(Relatedly, avahi-daemon defaults to running in a chroot jail).

Debian have no such effort. Installing Debian 9 Desktop (or Debian 8 Desktop) pulls in minissdpd, via transmission-gtk. Has minissdpd been subject to the same level of auditting as Avahi has been?

---

[Update: Debian 10 Desktop no longer pulls in minissdpd. Although when I install Digikam, I notice it still pulls in minidlna, and hence runs minidlnad]

Answer 1

No. The minissdpd package in Debian 10.0 would not pass a security audit.

minissdpd runs as the root user. There is no containment, apart from the systemd service being defined to use PrivateTmp. There is some test code to "drop privileges", which is disabled with an #if 0 block and a TODO comment.

Note the daemon is written in C, the native language of buffer overflows.

(For the record, the approach in the test code would not be sufficient. The daemon could still try to access the filesystem. Remember that Debian defaults to making home directories readable by all users. Also, it hard-codes the nobody user. More software "dropping privileges" to become the same "nobody" user means more havoc this supposed "nobody" can wreak, and more likelihood that there is some private data it can access.)