Debian Bug report logs -
#410850
CVE-2006-6980: magnatune shell escapes
Reported by: ana@debian.org
Date: Tue, 13 Feb 2007 21:03:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions 1.4.4-2, 1.4.5-2
Fixed in versions 1.4.4-4, amarok/1.4.5-3
Done: Ana Beatriz Guerrero Lopez <ana@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#410850
; Package amarock
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: amarock
Version: 1.4.4-2
Severity: grave
Tags: patch, security
CVE-2006-6980 says[1]:
"The ruby handlers in Amarok do not properly quote text in certain
contexts, probably including construction of an unzip command line,
which allows attackers to execute arbitrary commands via shell
metacharacters."
There is an open KDE bug report[2], and SuSE has patched this
problem. I'm working on extracting the patches now...
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979
[2] http://bugs.kde.org/show_bug.cgi?id=138499
--
Kees Cook @outflux.net
Bug reassigned from package `amarock' to `amarok'.
Request was from Ana Guerrero <ana@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug reassigned from package `amarok' to `amarok'.
Request was from Kees Cook <kees@outflux.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug reassigned from package `amarok' to `amarok'.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 1.4.4-2.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#410850
; Package amarok
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(full text, mbox, link).
Message #18 received at 410850@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
BTW, the CVE is misleading, there are ruby script fixes needed as well
as the unzip bug. Attached is a patch for the ruby fixes, which appear
to be in upstream 1.4.5 already.
--
Kees Cook @outflux.net
[kubuntu_90_fix-shell-escapes.diff (text/x-diff, attachment)]
Bug marked as found in version 1.4.5-2.
Request was from Ana Guerrero <ana@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Tags added: upstream
Request was from Filipus Klutiero <cheal@hotpop.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#410850
; Package amarok
.
(full text, mbox, link).
Acknowledgement sent to Ana Guerrero <ana@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(full text, mbox, link).
Message #31 received at 410850@bugs.debian.org (full text, mbox, reply):
On Tue, Feb 13, 2007 at 12:59:12PM -0800, Kees Cook wrote:
> Package: amarock
> Version: 1.4.4-2
> Severity: grave
> Tags: patch, security
>
> CVE-2006-6980 says[1]:
>
> "The ruby handlers in Amarok do not properly quote text in certain
> contexts, probably including construction of an unzip command line,
> which allows attackers to execute arbitrary commands via shell
> metacharacters."
>
> There is an open KDE bug report[2], and SuSE has patched this
> problem. I'm working on extracting the patches now...
>
>
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979
> [2] http://bugs.kde.org/show_bug.cgi?id=138499
>
As Kees says in a previuos mail, this CVE is misleading and it is
pointing to 2 security bugs. Upstream has fixed one of them:
http://bugs.kde.org/show_bug.cgi?id=138499
And i'm still waiting for some input of the ruby scripts patches
(attached in this mail).
Ana
>
>
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#410850
; Package amarok
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(full text, mbox, link).
Message #36 received at 410850@bugs.debian.org (full text, mbox, reply):
Here are the upstream changes for the ruby and unzip fixes:
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/backupDatabase.rb?rev=611302&r1=485972&r2=611302
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/databaseScripts.rb?rev=611304&r1=485124&r2=611304
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/redoPodcasts.rb?rev=611303&r1=527198&r2=611303
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleAlbums.rb?rev=611306&r1=513319&r2=611306
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleArtists.rb?rev=611300&r1=513319&r2=611300
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleImages.rb?rev=611298&r1=513461&r2=611298
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleStatistics.rb?rev=611301&r1=484927&r2=611301
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/mp3fix/mp3fixer.rb?rev=611452&r1=515416&r2=611452
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/magnatunebrowser/magnatunealbumdownloader.cpp?rev=633728&r1=632452&r2=633728
--
Kees Cook @outflux.net
Reply sent to Ana Beatriz Guerrero Lopez <ana@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kees Cook <kees@outflux.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #41 received at 410850-close@bugs.debian.org (full text, mbox, reply):
Source: amarok
Source-Version: 1.4.4-3
We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:
amarok-engines_1.4.4-3_i386.deb
to pool/main/a/amarok/amarok-engines_1.4.4-3_i386.deb
amarok-xine_1.4.4-3_i386.deb
to pool/main/a/amarok/amarok-xine_1.4.4-3_i386.deb
amarok_1.4.4-3.diff.gz
to pool/main/a/amarok/amarok_1.4.4-3.diff.gz
amarok_1.4.4-3.dsc
to pool/main/a/amarok/amarok_1.4.4-3.dsc
amarok_1.4.4-3_i386.deb
to pool/main/a/amarok/amarok_1.4.4-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 410850@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated amarok package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 15 Feb 2007 22:28:13 +0100
Source: amarok
Binary: amarok amarok-xine amarok-engines
Architecture: source i386
Version: 1.4.4-3
Distribution: unstable
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org>
Description:
amarok - versatile and easy to use audio player for KDE
amarok-engines - output engines for the Amarok audio player
amarok-xine - xine engine for the Amarok audio player
Closes: 410850
Changes:
amarok (1.4.4-3) unstable; urgency=high
.
* Edited patch magnatune.patch fixing CVE-2006-6980: amarok magnatune
unsafe shell. (Closes: #410850).
The reference to the ruby scripts pointed in the bug report, is a problem
that was already solved in amarok 1.4.4.
* Add dep on unzip (needed to uncompress albums).
Files:
a3d1fc8354e3ebc6edd025da61974eb4 1000 kde optional amarok_1.4.4-3.dsc
91044a6ec9fd98c338d97306f29b1839 41951 kde optional amarok_1.4.4-3.diff.gz
9c6d05341a17b95a086ecdc4bb9c1a17 17426768 kde optional amarok_1.4.4-3_i386.deb
bd68121e29de9f2b970b99f9ce31a1e0 69846 kde optional amarok-engines_1.4.4-3_i386.deb
b96a3633f7ffc87749607090687644db 122418 kde optional amarok-xine_1.4.4-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFF1d+an3j4POjENGERAgtIAJ0U92ru/nNsF5oOiSFEQrED7LAJiACfVfnJ
svLgVRKlWudc6+/lsV3oXhc=
=tBev
-----END PGP SIGNATURE-----
Bug reopened, originator set to ana@debian.org.
Request was from Ana Guerrero <ana@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.4-4, send any further explanations to ana@debian.org
Request was from Ana Guerrero <ana@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Ana Beatriz Guerrero Lopez <ana@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to ana@debian.org
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #50 received at 410850-close@bugs.debian.org (full text, mbox, reply):
Source: amarok
Source-Version: 1.4.5-3
We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:
amarok-engines_1.4.5-3_i386.deb
to pool/main/a/amarok/amarok-engines_1.4.5-3_i386.deb
amarok-xine_1.4.5-3_i386.deb
to pool/main/a/amarok/amarok-xine_1.4.5-3_i386.deb
amarok_1.4.5-3.diff.gz
to pool/main/a/amarok/amarok_1.4.5-3.diff.gz
amarok_1.4.5-3.dsc
to pool/main/a/amarok/amarok_1.4.5-3.dsc
amarok_1.4.5-3_i386.deb
to pool/main/a/amarok/amarok_1.4.5-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 410850@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated amarok package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Mar 2007 02:38:05 +0100
Source: amarok
Binary: amarok amarok-xine amarok-engines
Architecture: source i386
Version: 1.4.5-3
Distribution: experimental
Urgency: low
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org>
Description:
amarok - versatile and easy to use audio player for KDE
amarok-engines - output engines for the Amarok audio player
amarok-xine - xine engine for the Amarok audio player
Closes: 400801 405399 410850
Changes:
amarok (1.4.5-3) experimental; urgency=low
.
* Add support for devices using MTP, build-dep on libmtp-dev added.
(Closes: #405399)
* Add support for karma devices, build-dep on libkarma-dev added.
(Closes: #400801)
* Added patch fixing CVE-2006-6980: amarok magnatune unsafe shell.
(Closes: #410850)
Files:
63a60d89db463182bbf0daee32eb0a59 1027 kde optional amarok_1.4.5-3.dsc
a85943a80c2cf281ce9632b4fc52c82d 22504 kde optional amarok_1.4.5-3.diff.gz
eb1eb782efc57faefab65e7488e8b60f 17945834 kde optional amarok_1.4.5-3_i386.deb
c36c1f321063030f115751df7aa7ca51 73542 kde optional amarok-engines_1.4.5-3_i386.deb
a55969ce5d2dd3cbfd53b81936687912 129166 kde optional amarok-xine_1.4.5-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFF9SGZn3j4POjENGERAl7AAJ0b/Fp8DJ4cophfXFxKkkhCxs+fVgCeIV78
RmPqXdumdb3AeSaLAG0cwGM=
=ehf7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 19:40:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:08:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.