rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded path to /tmp/context/

Debian Bug report logs - #616673
rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded path to /tmp/context/

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hans Spaans <hans.spaans@nexit.nl>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rhythmbox-plugins: Plugin "context" contains hardcoded path to /tmp/context/

Date: Sun, 06 Mar 2011 14:58:46 +0100

Package: rhythmbox-plugins
Version: 0.13.3-2
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following files contain a hardcoded path to "/tmp/context/".

/usr/lib/rhythmbox/plugins/context/AlbumTab.py
/usr/lib/rhythmbox/plugins/context/ArtistTab.py
/usr/lib/rhythmbox/plugins/context/LinksTab.py
/usr/lib/rhythmbox/plugins/context/LyricsTab.py

This also makes it unclear if multi-user support is possible. Please
make the package obey at least $TMPDIR set by the libpam-tmpdir
package for example and/or make the directory dependend on the
username.


- -- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.utf8, LC_CTYPE=nl_NL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rhythmbox-plugins depends on:
ii  libatk1.0-0            1.30.0-1          The ATK accessibility toolkit
ii  libc6                  2.11.2-13         Embedded GNU C Library: Shared lib
ii  libcairo2              1.10.2-4          The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.4.6-1           simple interprocess messaging syst
ii  libdbus-glib-1-2       0.88-2.1          simple interprocess messaging syst
ii  libexpat1              2.0.1-7           XML parsing C library - runtime li
ii  libfontconfig1         2.8.0-2.1         generic font configuration library
ii  libfreetype6           2.4.4-1           FreeType 2 font engine, shared lib
ii  libgconf2-4            2.28.1-6          GNOME configuration database syste
ii  libglib2.0-0           2.28.1-1+b1       The GLib library of C routines
ii  libgnome-media0        2.30.0-1          runtime libraries for the GNOME me
ii  libgpod4               0.7.95-2          library to read and write songs an
ii  libgstreamer-plugins-b 0.10.30-1         GStreamer libraries from the "base
ii  libgstreamer0.10-0     0.10.30-1         Core GStreamer libraries and eleme
ii  libgtk2.0-0            2.20.1-2          The GTK+ graphical user interface 
ii  libgudev-1.0-0         166-1             GObject-based wrapper library for 
ii  libice6                2:1.0.7-1         X11 Inter-Client Exchange library
ii  libjson-glib-1.0-0     0.10.2-2          GLib JSON manipulation library
ii  liblircclient0         0.8.3-5           infra-red remote control support -
ii  libmtp8                1.0.6-1           Media Transfer Protocol (MTP) libr
ii  libmusicbrainz4c2a     2.1.5-4           Second generation incarnation of t
ii  libnotify1 [libnotify1 0.5.0-2           sends desktop notifications to a n
ii  libpango1.0-0          1.28.3-1+squeeze1 Layout and rendering of internatio
ii  libpython2.6           2.6.6-8+b1        Shared Python runtime library (ver
ii  libsm6                 2:1.2.0-1         X11 Session Management library
ii  libsoup-gnome2.4-1     2.30.2-1          an HTTP library implementation in 
ii  libsoup2.4-1           2.30.2-1          an HTTP library implementation in 
ii  libtotem-plparser17    2.32.2-1          Totem Playlist Parser library - ru
ii  libusb-0.1-4           2:0.1.12-17       userspace USB programming library
ii  libwebkit-1.0-2        1.2.7-1           Web content engine library for Gtk
ii  libxml2                2.7.8.dfsg-2      GNOME XML library
ii  python                 2.6.6-3+squeeze5  interactive high-level object-orie
ii  python-gnomekeyring    2.30.0-4+b1       Python bindings for the GNOME keyr
ii  python-mako            0.4.0-1           fast and lightweight templating fo
ii  python-support         1.0.11            automated rebuilding support for P
ii  python-webkit          1.1.8-1           WebKit/Gtk Python bindings
ii  rhythmbox              0.13.3-2          music player and organizer for GNO
ii  zeitgeist-core         0.7-1             event logging framework - engine
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

Versions of packages rhythmbox-plugins recommends:
ii  nautilus-sendto              2.28.4-2+b1 integrates Evolution and Pidgin in

rhythmbox-plugins suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk1zkwcACgkQH3+jt5Jjusqd1ACgqrp/DRCoevaYmRMJWh7hMFJb
+WcAoLaKndoaiu3eGYY3oRcxejusC6Dg
=NDgf
-----END PGP SIGNATURE-----

Message #10 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: Hans Spaans <hans.spaans@nexit.nl>, 616673@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#616673: rhythmbox-plugins: Plugin "context" contains hardcoded path to /tmp/context/

Date: Fri, 22 Jun 2012 21:16:22 +0200

tag 616673 security
severity 616673 grave
thanks

Le dimanche 06 mars 2011 à 14:58 +0100, Hans Spaans a écrit : 
> The following files contain a hardcoded path to "/tmp/context/".
> 
> /usr/lib/rhythmbox/plugins/context/AlbumTab.py
> /usr/lib/rhythmbox/plugins/context/ArtistTab.py
> /usr/lib/rhythmbox/plugins/context/LinksTab.py
> /usr/lib/rhythmbox/plugins/context/LyricsTab.py

Sorry for not replying earlier.
This terrible newbie mistake is probably a local privilege escalation
vulnerability. 

Squeeze is affected.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Message #21 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 616673@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#616673: rhythmbox-plugins: Plugin "context" contains hardcoded path to /tmp/context/

Date: Mon, 25 Jun 2012 19:13:06 +0200

Le vendredi 22 juin 2012 à 21:16 +0200, Josselin Mouette a écrit : 
> Sorry for not replying earlier.
> This terrible newbie mistake is probably a local privilege escalation
> vulnerability. 
> 
> Squeeze is affected.

This is CVE-2012-3355.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Message #30 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: 616673@bugs.debian.org

Subject: patch to use tempfile.mkdtemp submitted upstream

Date: Thu, 5 Jul 2012 17:32:21 +0200

tags 616673 + patch
thanks

see upstream bug report for the actual patch.

-- 
Andreas Henriksson

Message #37 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 616673@bugs.debian.org

Subject: resolved

Date: Tue, 24 Jul 2012 21:46:45 +0300

Hello,

Upstream bug-report <https://bugzilla.gnome.org/show_bug.cgi?id=678661> now says status resolved. What is status of this in Debian?

- Henri Salo

Message #42 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <debian@kitterman.com>

To: 616673@bugs.debian.org

Subject: NMUing

Date: Fri, 27 Jul 2012 21:56:41 -0400

[Message part 1 (text/plain, inline)]

Since this is a security fix that's been sitting around for a bit, I'm going to 
go ahead and upload the attached NMU diff.  There are two possible patches 
available to resolve this issue.  The initial one done by Ubuntu and the 
upstream one.  Since the upstream patch also had some functional changes, the 
NMU is based on the Ubuntu patch (both resolved the security issue) to keep 
the changes to the minimum.

For the maintainers, of course I'm glad to have you do it the other way if you 
prefer, but I think it's better to at least get a security fix in the archive 
than not.

Scott K

[rhythmbox.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 616673-close@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <scott@kitterman.com>

To: 616673-close@bugs.debian.org

Subject: Bug#616673: fixed in rhythmbox 2.97-2.1

Date: Sat, 28 Jul 2012 02:47:32 +0000

Source: rhythmbox
Source-Version: 2.97-2.1

We believe that the bug you reported is fixed in the latest version of
rhythmbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 616673@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated rhythmbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Jul 2012 16:41:52 -0400
Source: rhythmbox
Binary: rhythmbox rhythmbox-data rhythmbox-dbg rhythmbox-plugins rhythmbox-plugin-cdrecorder librhythmbox-core6 rhythmbox-dev rhythmbox-doc gir1.2-rb-3.0
Architecture: source all i386
Version: 2.97-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description: 
 gir1.2-rb-3.0 - GObject introspection data for the rhythmbox music player
 librhythmbox-core6 - support library for the rhythmbox music player
 rhythmbox  - music player and organizer for GNOME
 rhythmbox-data - data files for rhythmbox
 rhythmbox-dbg - debugging symbols for rhythmbox
 rhythmbox-dev - development files for the rhythmbox music player
 rhythmbox-doc - documentation files for the rhythmbox music player
 rhythmbox-plugin-cdrecorder - burning plugin for rhythmbox music player
 rhythmbox-plugins - plugins for rhythmbox music player
Closes: 616673
Changes: 
 rhythmbox (2.97-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Urgency high for security fix
   * fix insecure directory for python module import in context plugin
     (Closes: #616673)
     - debian/patches/CVE-2012-3355.patch: update context plugin to use
       tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas
       Henriksson (used theUbuntu security fix instead of the upstream commit
       because the upstream commit was a mix of functional changes and a
       security fix))
     - CVE-2012-3355
Checksums-Sha1: 
 b2456aaecea812f9496616a726e03f26f658f4f0 3250 rhythmbox_2.97-2.1.dsc
 be3aac4d50e7cd0d3b39ba6b35f124c68e893aa3 38440 rhythmbox_2.97-2.1.debian.tar.gz
 77eb664f47e6e64ef142fda7201000ddd0c9fe6b 5327724 rhythmbox-data_2.97-2.1_all.deb
 70c9c1a0366c7f84daccc1d30f9c9e29e539a74a 526956 rhythmbox-doc_2.97-2.1_all.deb
 98c5161789414c2a69d52d8a9346c791579beb15 390944 rhythmbox_2.97-2.1_i386.deb
 0e907f00919725a54e303f9ac3f1112ba8532117 3220030 rhythmbox-dbg_2.97-2.1_i386.deb
 6b32df71c993989660f7855c6a31d6d35ac05b16 836856 rhythmbox-plugins_2.97-2.1_i386.deb
 cf5781b813fb3d829e814195645c26e7d41fef1c 341404 rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
 a5c0d947b812bb6ce53ab395ae38d88457df623e 859514 librhythmbox-core6_2.97-2.1_i386.deb
 aae0add438a1e9e0d6b1cb1d914d7924ff24fe24 460942 rhythmbox-dev_2.97-2.1_i386.deb
 40b409ba8e3c5bed1ba0d9e705201ef0ee7be834 369596 gir1.2-rb-3.0_2.97-2.1_i386.deb
Checksums-Sha256: 
 a906f35af4176d342a6aad33c2fe341cf2cf9bb6cde1fce58c9a6f38355d9a42 3250 rhythmbox_2.97-2.1.dsc
 0d6bcd5babad4bdd933d1f8533f61312c6af13affad56d11838b0c6d9aaf3a09 38440 rhythmbox_2.97-2.1.debian.tar.gz
 327a58d9625315bf3d2eeb6d6cb06a96ca0e7850513aa16fd6fb4f8d03cc2597 5327724 rhythmbox-data_2.97-2.1_all.deb
 e6292034ea302cf89c2dba10fa883781ecba189990455fee0fa146f743fd6807 526956 rhythmbox-doc_2.97-2.1_all.deb
 002992d438fe50e93b7b7f6d90ee18237224f9304914ec8a7b4a40459cd827ed 390944 rhythmbox_2.97-2.1_i386.deb
 c5e3109cb9a13677d6936e6e18fe6a72a8653331255ceb088a0246bada0b4bf2 3220030 rhythmbox-dbg_2.97-2.1_i386.deb
 e19356a351e3b93fbd7b42f7fd67f460c9d0a717c72102ceb1475f0119b0dfef 836856 rhythmbox-plugins_2.97-2.1_i386.deb
 836531c5e444c76816ec35b46cf4c72cb1a453eba24bc490793e7ab7827020f0 341404 rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
 f9aa9f7a9858782d0013ffa851cd850f2531fc2fab37d98f0bebebc26727243c 859514 librhythmbox-core6_2.97-2.1_i386.deb
 9d9b2544a2d01dda0b57ce2a10362c181d3ceced29e5689e7a07cc8d28a8d61b 460942 rhythmbox-dev_2.97-2.1_i386.deb
 a932906b20fae2fedeb0e6e3052991ece2011a5e9faad3660b1c5720ec60f3cd 369596 gir1.2-rb-3.0_2.97-2.1_i386.deb
Files: 
 4770878b05e119ca5ddfb7bd750dd0fe 3250 gnome optional rhythmbox_2.97-2.1.dsc
 68686dfd6236b08f3bc73b9f759cea21 38440 gnome optional rhythmbox_2.97-2.1.debian.tar.gz
 406d46b606d69b9c1008d6baf0809e32 5327724 gnome optional rhythmbox-data_2.97-2.1_all.deb
 1abb378c4317ca68fc39b1c369f8b98b 526956 doc optional rhythmbox-doc_2.97-2.1_all.deb
 fe367488679ea839e0130100d895af7f 390944 gnome optional rhythmbox_2.97-2.1_i386.deb
 254a1c79fc439eab237d20df465c59f5 3220030 debug extra rhythmbox-dbg_2.97-2.1_i386.deb
 95329d1b1abde2aae510281df9a0ad1c 836856 gnome optional rhythmbox-plugins_2.97-2.1_i386.deb
 cfa33b9ab1433e4f03aabb9b8780c026 341404 gnome optional rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
 c680a13f98db6023b7de9c1d4277e5af 859514 libs optional librhythmbox-core6_2.97-2.1_i386.deb
 eabafce9aae93f8297717dd24b36c22f 460942 libdevel optional rhythmbox-dev_2.97-2.1_i386.deb
 9f76bf09d1e9259a1926747269a0b826 369596 introspection optional gir1.2-rb-3.0_2.97-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlATRaMACgkQHajaM93NaGrfvwCgkwfVAwQUyjT3SjPrTtZx3bC7
kIwAnjk7rhRhUF/QOaR4t7iYSOfH1GX8
=oNid
-----END PGP SIGNATURE-----

Message #56 received at 616673@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 616673@bugs.debian.org

Subject: Re: rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded path to /tmp/context/

Date: Fri, 18 Jan 2013 12:15:02 -0000

Package: rhythmbox-plugins

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/616673/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.