Bug 23201

CVEs have been assigned:
http://openwall.com/lists/oss-security/2018/06/19/1

Summary: cantata new security issues in D-Bus service => cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0-2])

Done!

Advisory:
========================

Updated cantata package fixes security vulnerabilities:

The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular
user can this way mount a CIFS filesystem anywhere, and not just beneath /home
by passing relative path components (CVE-2018-12559).

Arbitrary unmounts can be performed by regular users the same way
(CVE-2018-12560).

A regular user can inject additional mount options like file_mode= by
manipulating e.g. the domain parameter of the samba URL (CVE-2018-12561).

The wrapper script 'mount.cifs.wrapper' uses the shell to forward the
arguments to the actual mount.cifs binary. The shell evaluates wildcards which
can also be injected (CVE-2018-12562).

To fix these issues, the vulnerable D-Bus service has been removed.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12562
http://openwall.com/lists/oss-security/2018/06/19/1
========================

Updated packages in core/updates_testing:
========================
cantata-2.0.1-5.1.mga6

from cantata-2.0.1-5.1.mga6.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 6
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA6TOO => (none)

MGA6-32 on IBM Thinkpad R50e MATE
No installation issues
There was no previous version of cantata on this laptop. so I had to go thru the setup. choosing basic configuration and the standard "Muziek" folder in the normal users home folder. It is also the pwd when launching cantata from the CLI
Cantata starts GUI  complaining it cannot find "Personal", then I try to point it to the "Muziek" folder, and it crashes.
From the CLI:
$ cantata 
QPixmap::scaled: Pixmap is a null pixmap
QSqlDatabase: QSQLITE driver not loaded
QSqlDatabase: available drivers: 
Jul 01 10:43 : socket: Failed to bind to '/home/tester6/.local/share/cantata/mpd/socket': Address already in use
Jul 01 10:43 : errno: Failed to open /home/tester6/.cache/cantata/mpd/tag_cache: No such file or directory
Segmentatiefout (geheugendump gemaakt)
There is no sqlite installed on this laptop, and that is nowhere mentioned in the startup-configuration this is needed, so ????

CC: (none) => herman.viaene

Hi Herman,
I ran into the same thing.  I installed libqt5-database-plugin-sqlite, I had sqlite installed, and it worked. 

I installed this as an individual user ot as a shared resources (there are two options, I couldn't connect on the multi-user in first testing)

Other than dependency, it works as designed.

CC: (none) => brtians1

Tx Brian for the hint.
With this sqlite installed, cantate plays well local files as streams from internet radios. OK for me, if the sqlite thingy is not considered a problem for the highr powers in QA.

Advice from a lower power; maybe push this back to the maintainer to resolve the plugin dependency.  When reassigned it should not need more testing - Herman and Brian have done enough.

CC: (none) => tarazed25

The missing requires is not a regression, so doesn't block this update.

Adding the ok based on above comments.
Advisory committed to svn.
Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0314.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED