CVE-2006-6980: magnatune shell escapes

Debian Bug report logs - #410850
CVE-2006-6980: magnatune shell escapes

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Debian Bugs <submit@bugs.debian.org>

Subject: CVE-2006-6980: magnatune shell escapes

Date: Tue, 13 Feb 2007 12:59:12 -0800

Package: amarock
Version: 1.4.4-2
Severity: grave
Tags: patch, security

CVE-2006-6980 says[1]:

"The ruby handlers in Amarok do not properly quote text in certain 
contexts, probably including construction of an unzip command line, 
which allows attackers to execute arbitrary commands via shell 
metacharacters."

There is an open KDE bug report[2], and SuSE has patched this 
problem.  I'm working on extracting the patches now...


[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979
[2] http://bugs.kde.org/show_bug.cgi?id=138499

-- 
Kees Cook                                            @outflux.net

Message #18 received at 410850@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: 410850@bugs.debian.org

Subject: misleading CVE

Date: Tue, 13 Feb 2007 13:44:04 -0800

[Message part 1 (text/plain, inline)]

BTW, the CVE is misleading, there are ruby script fixes needed as well 
as the unzip bug.  Attached is a patch for the ruby fixes, which appear 
to be in upstream 1.4.5 already.

-- 
Kees Cook                                            @outflux.net

[kubuntu_90_fix-shell-escapes.diff (text/x-diff, attachment)]

Message #31 received at 410850@bugs.debian.org (full text, mbox, reply):

From: Ana Guerrero <ana@debian.org>

To: Kees Cook <kees@outflux.net>, 410850@bugs.debian.org

Subject: Re: CVE-2006-6980: magnatune shell escapes

Date: Wed, 14 Feb 2007 23:35:50 +0100

On Tue, Feb 13, 2007 at 12:59:12PM -0800, Kees Cook wrote:
> Package: amarock
> Version: 1.4.4-2
> Severity: grave
> Tags: patch, security
> 
> CVE-2006-6980 says[1]:
> 
> "The ruby handlers in Amarok do not properly quote text in certain 
> contexts, probably including construction of an unzip command line, 
> which allows attackers to execute arbitrary commands via shell 
> metacharacters."
> 
> There is an open KDE bug report[2], and SuSE has patched this 
> problem.  I'm working on extracting the patches now...
> 
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979
> [2] http://bugs.kde.org/show_bug.cgi?id=138499
>

As Kees says in a previuos mail, this CVE is misleading and it is
pointing to 2 security bugs. Upstream has fixed one of them:
http://bugs.kde.org/show_bug.cgi?id=138499

And i'm still waiting for some input of the ruby scripts patches
(attached in this mail).

Ana
> 
> 

Message #36 received at 410850@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: 410850@bugs.debian.org

Subject: links to upstream changes

Date: Thu, 15 Feb 2007 07:59:41 -0800

Here are the upstream changes for the ruby and unzip fixes:

http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/backupDatabase.rb?rev=611302&r1=485972&r2=611302
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/databaseScripts.rb?rev=611304&r1=485124&r2=611304
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/redoPodcasts.rb?rev=611303&r1=527198&r2=611303
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleAlbums.rb?rev=611306&r1=513319&r2=611306
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleArtists.rb?rev=611300&r1=513319&r2=611300
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleImages.rb?rev=611298&r1=513461&r2=611298
http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleStatistics.rb?rev=611301&r1=484927&r2=611301

http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/mp3fix/mp3fixer.rb?rev=611452&r1=515416&r2=611452

http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/magnatunebrowser/magnatunealbumdownloader.cpp?rev=633728&r1=632452&r2=633728

-- 
Kees Cook                                            @outflux.net

Message #41 received at 410850-close@bugs.debian.org (full text, mbox, reply):

From: Ana Beatriz Guerrero Lopez <ana@debian.org>

To: 410850-close@bugs.debian.org

Subject: Bug#410850: fixed in amarok 1.4.4-3

Date: Fri, 16 Feb 2007 17:32:04 +0000

Source: amarok
Source-Version: 1.4.4-3

We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:

amarok-engines_1.4.4-3_i386.deb
  to pool/main/a/amarok/amarok-engines_1.4.4-3_i386.deb
amarok-xine_1.4.4-3_i386.deb
  to pool/main/a/amarok/amarok-xine_1.4.4-3_i386.deb
amarok_1.4.4-3.diff.gz
  to pool/main/a/amarok/amarok_1.4.4-3.diff.gz
amarok_1.4.4-3.dsc
  to pool/main/a/amarok/amarok_1.4.4-3.dsc
amarok_1.4.4-3_i386.deb
  to pool/main/a/amarok/amarok_1.4.4-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410850@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated amarok package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Feb 2007 22:28:13 +0100
Source: amarok
Binary: amarok amarok-xine amarok-engines
Architecture: source i386
Version: 1.4.4-3
Distribution: unstable
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org>
Description: 
 amarok     - versatile and easy to use audio player for KDE
 amarok-engines - output engines for the Amarok audio player
 amarok-xine - xine engine for the Amarok audio player
Closes: 410850
Changes: 
 amarok (1.4.4-3) unstable; urgency=high
 .
   * Edited patch magnatune.patch fixing CVE-2006-6980: amarok magnatune
     unsafe shell. (Closes: #410850).
   	The reference to the ruby scripts pointed in the bug report, is a problem
     that was already solved in amarok 1.4.4.
   * Add dep on unzip (needed to uncompress albums).
Files: 
 a3d1fc8354e3ebc6edd025da61974eb4 1000 kde optional amarok_1.4.4-3.dsc
 91044a6ec9fd98c338d97306f29b1839 41951 kde optional amarok_1.4.4-3.diff.gz
 9c6d05341a17b95a086ecdc4bb9c1a17 17426768 kde optional amarok_1.4.4-3_i386.deb
 bd68121e29de9f2b970b99f9ce31a1e0 69846 kde optional amarok-engines_1.4.4-3_i386.deb
 b96a3633f7ffc87749607090687644db 122418 kde optional amarok-xine_1.4.4-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero

iD8DBQFF1d+an3j4POjENGERAgtIAJ0U92ru/nNsF5oOiSFEQrED7LAJiACfVfnJ
svLgVRKlWudc6+/lsV3oXhc=
=tBev
-----END PGP SIGNATURE-----

Message #50 received at 410850-close@bugs.debian.org (full text, mbox, reply):

From: Ana Beatriz Guerrero Lopez <ana@debian.org>

To: 410850-close@bugs.debian.org

Subject: Bug#410850: fixed in amarok 1.4.5-3

Date: Mon, 12 Mar 2007 09:32:03 +0000

Source: amarok
Source-Version: 1.4.5-3

We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:

amarok-engines_1.4.5-3_i386.deb
  to pool/main/a/amarok/amarok-engines_1.4.5-3_i386.deb
amarok-xine_1.4.5-3_i386.deb
  to pool/main/a/amarok/amarok-xine_1.4.5-3_i386.deb
amarok_1.4.5-3.diff.gz
  to pool/main/a/amarok/amarok_1.4.5-3.diff.gz
amarok_1.4.5-3.dsc
  to pool/main/a/amarok/amarok_1.4.5-3.dsc
amarok_1.4.5-3_i386.deb
  to pool/main/a/amarok/amarok_1.4.5-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410850@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated amarok package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Mar 2007 02:38:05 +0100
Source: amarok
Binary: amarok amarok-xine amarok-engines
Architecture: source i386
Version: 1.4.5-3
Distribution: experimental
Urgency: low
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org>
Description: 
 amarok     - versatile and easy to use audio player for KDE
 amarok-engines - output engines for the Amarok audio player
 amarok-xine - xine engine for the Amarok audio player
Closes: 400801 405399 410850
Changes: 
 amarok (1.4.5-3) experimental; urgency=low
 .
   * Add support for devices using MTP, build-dep on libmtp-dev added.
     (Closes: #405399)
   * Add support for karma devices, build-dep on libkarma-dev added.
     (Closes: #400801)
   * Added patch fixing CVE-2006-6980: amarok magnatune unsafe shell.
     (Closes: #410850)
Files: 
 63a60d89db463182bbf0daee32eb0a59 1027 kde optional amarok_1.4.5-3.dsc
 a85943a80c2cf281ce9632b4fc52c82d 22504 kde optional amarok_1.4.5-3.diff.gz
 eb1eb782efc57faefab65e7488e8b60f 17945834 kde optional amarok_1.4.5-3_i386.deb
 c36c1f321063030f115751df7aa7ca51 73542 kde optional amarok-engines_1.4.5-3_i386.deb
 a55969ce5d2dd3cbfd53b81936687912 129166 kde optional amarok-xine_1.4.5-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero

iD8DBQFF9SGZn3j4POjENGERAl7AAJ0b/Fp8DJ4cophfXFxKkkhCxs+fVgCeIV78
RmPqXdumdb3AeSaLAG0cwGM=
=ehf7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.