Debian Bug report logs -
#616673
rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded path to /tmp/context/
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Sun, 06 Mar 2011 14:06:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Hans Spaans <hans.spaans@nexit.nl>
:
New Bug report received and forwarded. Copy sent to Loic Minier <lool@dooz.org>
.
(Sun, 06 Mar 2011 14:06:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rhythmbox-plugins
Version: 0.13.3-2
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following files contain a hardcoded path to "/tmp/context/".
/usr/lib/rhythmbox/plugins/context/AlbumTab.py
/usr/lib/rhythmbox/plugins/context/ArtistTab.py
/usr/lib/rhythmbox/plugins/context/LinksTab.py
/usr/lib/rhythmbox/plugins/context/LyricsTab.py
This also makes it unclear if multi-user support is possible. Please
make the package obey at least $TMPDIR set by the libpam-tmpdir
package for example and/or make the directory dependend on the
username.
- -- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.utf8, LC_CTYPE=nl_NL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rhythmbox-plugins depends on:
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii libcairo2 1.10.2-4 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.4.6-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst
ii libexpat1 2.0.1-7 XML parsing C library - runtime li
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.28.1-6 GNOME configuration database syste
ii libglib2.0-0 2.28.1-1+b1 The GLib library of C routines
ii libgnome-media0 2.30.0-1 runtime libraries for the GNOME me
ii libgpod4 0.7.95-2 library to read and write songs an
ii libgstreamer-plugins-b 0.10.30-1 GStreamer libraries from the "base
ii libgstreamer0.10-0 0.10.30-1 Core GStreamer libraries and eleme
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libgudev-1.0-0 166-1 GObject-based wrapper library for
ii libice6 2:1.0.7-1 X11 Inter-Client Exchange library
ii libjson-glib-1.0-0 0.10.2-2 GLib JSON manipulation library
ii liblircclient0 0.8.3-5 infra-red remote control support -
ii libmtp8 1.0.6-1 Media Transfer Protocol (MTP) libr
ii libmusicbrainz4c2a 2.1.5-4 Second generation incarnation of t
ii libnotify1 [libnotify1 0.5.0-2 sends desktop notifications to a n
ii libpango1.0-0 1.28.3-1+squeeze1 Layout and rendering of internatio
ii libpython2.6 2.6.6-8+b1 Shared Python runtime library (ver
ii libsm6 2:1.2.0-1 X11 Session Management library
ii libsoup-gnome2.4-1 2.30.2-1 an HTTP library implementation in
ii libsoup2.4-1 2.30.2-1 an HTTP library implementation in
ii libtotem-plparser17 2.32.2-1 Totem Playlist Parser library - ru
ii libusb-0.1-4 2:0.1.12-17 userspace USB programming library
ii libwebkit-1.0-2 1.2.7-1 Web content engine library for Gtk
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
ii python-gnomekeyring 2.30.0-4+b1 Python bindings for the GNOME keyr
ii python-mako 0.4.0-1 fast and lightweight templating fo
ii python-support 1.0.11 automated rebuilding support for P
ii python-webkit 1.1.8-1 WebKit/Gtk Python bindings
ii rhythmbox 0.13.3-2 music player and organizer for GNO
ii zeitgeist-core 0.7-1 event logging framework - engine
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages rhythmbox-plugins recommends:
ii nautilus-sendto 2.28.4-2+b1 integrates Evolution and Pidgin in
rhythmbox-plugins suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk1zkwcACgkQH3+jt5Jjusqd1ACgqrp/DRCoevaYmRMJWh7hMFJb
+WcAoLaKndoaiu3eGYY3oRcxejusC6Dg
=NDgf
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Fri, 22 Jun 2012 19:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to 616673@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 22 Jun 2012 19:18:03 GMT) (full text, mbox, link).
Message #10 received at 616673@bugs.debian.org (full text, mbox, reply):
tag 616673 security
severity 616673 grave
thanks
Le dimanche 06 mars 2011 à 14:58 +0100, Hans Spaans a écrit :
> The following files contain a hardcoded path to "/tmp/context/".
>
> /usr/lib/rhythmbox/plugins/context/AlbumTab.py
> /usr/lib/rhythmbox/plugins/context/ArtistTab.py
> /usr/lib/rhythmbox/plugins/context/LinksTab.py
> /usr/lib/rhythmbox/plugins/context/LyricsTab.py
Sorry for not replying earlier.
This terrible newbie mistake is probably a local privilege escalation
vulnerability.
Squeeze is affected.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Added tag(s) security.
Request was from Josselin Mouette <joss@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Jun 2012 19:18:06 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Josselin Mouette <joss@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Jun 2012 19:18:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Mon, 25 Jun 2012 17:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josselin Mouette <joss@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Mon, 25 Jun 2012 17:15:03 GMT) (full text, mbox, link).
Message #21 received at 616673@bugs.debian.org (full text, mbox, reply):
Le vendredi 22 juin 2012 à 21:16 +0200, Josselin Mouette a écrit :
> Sorry for not replying earlier.
> This terrible newbie mistake is probably a local privilege escalation
> vulnerability.
>
> Squeeze is affected.
This is CVE-2012-3355.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Changed Bug title to 'CVE-2012-3355: Plugin "context" contains hardcoded path to /tmp/context/' from 'rhythmbox-plugins: Plugin "context" contains hardcoded path to /tmp/context/'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Mon, 25 Jun 2012 21:07:18 GMT) (full text, mbox, link).
Changed Bug title to 'rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded path to /tmp/context/' from 'CVE-2012-3355: Plugin "context" contains hardcoded path to /tmp/context/'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Mon, 25 Jun 2012 21:39:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Thu, 05 Jul 2012 15:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Henriksson <andreas@fatal.se>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Thu, 05 Jul 2012 15:27:06 GMT) (full text, mbox, link).
Message #30 received at 616673@bugs.debian.org (full text, mbox, reply):
tags 616673 + patch
thanks
see upstream bug report for the actual patch.
--
Andreas Henriksson
Added tag(s) patch.
Request was from Andreas Henriksson <andreas@fatal.se>
to control@bugs.debian.org
.
(Thu, 05 Jul 2012 15:27:20 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Tue, 24 Jul 2012 19:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Tue, 24 Jul 2012 19:00:03 GMT) (full text, mbox, link).
Message #37 received at 616673@bugs.debian.org (full text, mbox, reply):
Hello,
Upstream bug-report <https://bugzilla.gnome.org/show_bug.cgi?id=678661> now says status resolved. What is status of this in Debian?
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Sat, 28 Jul 2012 02:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Sat, 28 Jul 2012 02:00:03 GMT) (full text, mbox, link).
Message #42 received at 616673@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Since this is a security fix that's been sitting around for a bit, I'm going to
go ahead and upload the attached NMU diff. There are two possible patches
available to resolve this issue. The initial one done by Ubuntu and the
upstream one. Since the upstream patch also had some functional changes, the
NMU is based on the Ubuntu patch (both resolved the security issue) to keep
the changes to the minimum.
For the maintainers, of course I'm glad to have you do it the other way if you
prefer, but I think it's better to at least get a security fix in the archive
than not.
Scott K
[rhythmbox.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Scott Kitterman <scott@kitterman.com>
:
You have taken responsibility.
(Sat, 28 Jul 2012 02:51:03 GMT) (full text, mbox, link).
Notification sent
to Hans Spaans <hans.spaans@nexit.nl>
:
Bug acknowledged by developer.
(Sat, 28 Jul 2012 02:51:03 GMT) (full text, mbox, link).
Message #47 received at 616673-close@bugs.debian.org (full text, mbox, reply):
Source: rhythmbox
Source-Version: 2.97-2.1
We believe that the bug you reported is fixed in the latest version of
rhythmbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 616673@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated rhythmbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 27 Jul 2012 16:41:52 -0400
Source: rhythmbox
Binary: rhythmbox rhythmbox-data rhythmbox-dbg rhythmbox-plugins rhythmbox-plugin-cdrecorder librhythmbox-core6 rhythmbox-dev rhythmbox-doc gir1.2-rb-3.0
Architecture: source all i386
Version: 2.97-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
gir1.2-rb-3.0 - GObject introspection data for the rhythmbox music player
librhythmbox-core6 - support library for the rhythmbox music player
rhythmbox - music player and organizer for GNOME
rhythmbox-data - data files for rhythmbox
rhythmbox-dbg - debugging symbols for rhythmbox
rhythmbox-dev - development files for the rhythmbox music player
rhythmbox-doc - documentation files for the rhythmbox music player
rhythmbox-plugin-cdrecorder - burning plugin for rhythmbox music player
rhythmbox-plugins - plugins for rhythmbox music player
Closes: 616673
Changes:
rhythmbox (2.97-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Urgency high for security fix
* fix insecure directory for python module import in context plugin
(Closes: #616673)
- debian/patches/CVE-2012-3355.patch: update context plugin to use
tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas
Henriksson (used theUbuntu security fix instead of the upstream commit
because the upstream commit was a mix of functional changes and a
security fix))
- CVE-2012-3355
Checksums-Sha1:
b2456aaecea812f9496616a726e03f26f658f4f0 3250 rhythmbox_2.97-2.1.dsc
be3aac4d50e7cd0d3b39ba6b35f124c68e893aa3 38440 rhythmbox_2.97-2.1.debian.tar.gz
77eb664f47e6e64ef142fda7201000ddd0c9fe6b 5327724 rhythmbox-data_2.97-2.1_all.deb
70c9c1a0366c7f84daccc1d30f9c9e29e539a74a 526956 rhythmbox-doc_2.97-2.1_all.deb
98c5161789414c2a69d52d8a9346c791579beb15 390944 rhythmbox_2.97-2.1_i386.deb
0e907f00919725a54e303f9ac3f1112ba8532117 3220030 rhythmbox-dbg_2.97-2.1_i386.deb
6b32df71c993989660f7855c6a31d6d35ac05b16 836856 rhythmbox-plugins_2.97-2.1_i386.deb
cf5781b813fb3d829e814195645c26e7d41fef1c 341404 rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
a5c0d947b812bb6ce53ab395ae38d88457df623e 859514 librhythmbox-core6_2.97-2.1_i386.deb
aae0add438a1e9e0d6b1cb1d914d7924ff24fe24 460942 rhythmbox-dev_2.97-2.1_i386.deb
40b409ba8e3c5bed1ba0d9e705201ef0ee7be834 369596 gir1.2-rb-3.0_2.97-2.1_i386.deb
Checksums-Sha256:
a906f35af4176d342a6aad33c2fe341cf2cf9bb6cde1fce58c9a6f38355d9a42 3250 rhythmbox_2.97-2.1.dsc
0d6bcd5babad4bdd933d1f8533f61312c6af13affad56d11838b0c6d9aaf3a09 38440 rhythmbox_2.97-2.1.debian.tar.gz
327a58d9625315bf3d2eeb6d6cb06a96ca0e7850513aa16fd6fb4f8d03cc2597 5327724 rhythmbox-data_2.97-2.1_all.deb
e6292034ea302cf89c2dba10fa883781ecba189990455fee0fa146f743fd6807 526956 rhythmbox-doc_2.97-2.1_all.deb
002992d438fe50e93b7b7f6d90ee18237224f9304914ec8a7b4a40459cd827ed 390944 rhythmbox_2.97-2.1_i386.deb
c5e3109cb9a13677d6936e6e18fe6a72a8653331255ceb088a0246bada0b4bf2 3220030 rhythmbox-dbg_2.97-2.1_i386.deb
e19356a351e3b93fbd7b42f7fd67f460c9d0a717c72102ceb1475f0119b0dfef 836856 rhythmbox-plugins_2.97-2.1_i386.deb
836531c5e444c76816ec35b46cf4c72cb1a453eba24bc490793e7ab7827020f0 341404 rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
f9aa9f7a9858782d0013ffa851cd850f2531fc2fab37d98f0bebebc26727243c 859514 librhythmbox-core6_2.97-2.1_i386.deb
9d9b2544a2d01dda0b57ce2a10362c181d3ceced29e5689e7a07cc8d28a8d61b 460942 rhythmbox-dev_2.97-2.1_i386.deb
a932906b20fae2fedeb0e6e3052991ece2011a5e9faad3660b1c5720ec60f3cd 369596 gir1.2-rb-3.0_2.97-2.1_i386.deb
Files:
4770878b05e119ca5ddfb7bd750dd0fe 3250 gnome optional rhythmbox_2.97-2.1.dsc
68686dfd6236b08f3bc73b9f759cea21 38440 gnome optional rhythmbox_2.97-2.1.debian.tar.gz
406d46b606d69b9c1008d6baf0809e32 5327724 gnome optional rhythmbox-data_2.97-2.1_all.deb
1abb378c4317ca68fc39b1c369f8b98b 526956 doc optional rhythmbox-doc_2.97-2.1_all.deb
fe367488679ea839e0130100d895af7f 390944 gnome optional rhythmbox_2.97-2.1_i386.deb
254a1c79fc439eab237d20df465c59f5 3220030 debug extra rhythmbox-dbg_2.97-2.1_i386.deb
95329d1b1abde2aae510281df9a0ad1c 836856 gnome optional rhythmbox-plugins_2.97-2.1_i386.deb
cfa33b9ab1433e4f03aabb9b8780c026 341404 gnome optional rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
c680a13f98db6023b7de9c1d4277e5af 859514 libs optional librhythmbox-core6_2.97-2.1_i386.deb
eabafce9aae93f8297717dd24b36c22f 460942 libdevel optional rhythmbox-dev_2.97-2.1_i386.deb
9f76bf09d1e9259a1926747269a0b826 369596 introspection optional gir1.2-rb-3.0_2.97-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlATRaMACgkQHajaM93NaGrfvwCgkwfVAwQUyjT3SjPrTtZx3bC7
kIwAnjk7rhRhUF/QOaR4t7iYSOfH1GX8
=oNid
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 27 Aug 2012 07:27:50 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Thu, 17 Jan 2013 12:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#616673
; Package rhythmbox-plugins
.
(Fri, 18 Jan 2013 12:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 18 Jan 2013 12:36:03 GMT) (full text, mbox, link).
Message #56 received at 616673@bugs.debian.org (full text, mbox, reply):
Package: rhythmbox-plugins
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/616673/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 16 Feb 2013 07:28:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.