Bug 28477

Summary:	rygel leaking contents of user's Documents directory
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, olav, ouaurelien, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	rygel-0.40.0-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2021-02-27 20:25:09 CET

Fedora has issued an advisory on February 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NB4JXO5Y35UV7DFATHNU5W32UXE34RC/

The issue is fixed upstream in 0.40.1.

David Walser 2021-02-27 20:25:19 CET

Status comment: (none) => Fixed upstream in 0.40.1

Comment 1 Aurelien Oudelet 2021-02-28 20:59:04 CET

Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => olav, ouaurelien
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2021-03-01 15:59:11 CET

Done for mga8!

CC: (none) => geiger.david68210

Comment 3 David Walser 2021-03-01 18:01:51 CET

Package list:
rygel-0.40.1-1.mga8
librygel2.6_2-0.40.1-1.mga8
rygel-tracker-0.40.1-1.mga8
librygel-devel-0.40.1-1.mga8
librygel-ruih2.0_2-0.40.1-1.mga8
librygel-gir2.6-0.40.1-1.mga8

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 0.40.1 => (none)

Comment 4 Thomas Andrews 2021-04-10 05:16:17 CEST

Not normally a Gnome user, nor do I stream media, but I'll give this a stab, anyway.

Upgraded a M7 Gnome vbox guest to M8. Saw that rygel was already installed, so used qarepo to get updates. No installation issues.

The user is supposed to create a rygel.conf file, but if that isn't done /etc/rygel.conf is used. So I ran "rygel" in a terminal. It couldn't find the file, but started checking for plugins and cataloging media folders. I closed the terminal and brought up another, running "rygel -h" for a bit of help. Then I ran "rygel --shutdown" which said the remote service had been shut down.

So I flirted a bit with the edges, enough to see it not crash. Calling that good enough. If it needs more, someone else will have to try it.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Comment 5 Aurelien Oudelet 2021-04-12 16:05:56 CEST

Advisory:
========================

Updated rygel packages fix security vulnerability:

The rygel packages has been updated to version 0.40.1, fixing security
issue and other bugs.

References:
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NB4JXO5Y35UV7DFATHNU5W32UXE34RC/
 - https://bugzilla.redhat.com/show_bug.cgi?id=1931457
========================

Updated packages in 7/core/updates_testing:
========================
rygel-0.40.1-1.mga8
librygel2.6_2-0.40.1-1.mga8
rygel-tracker-0.40.1-1.mga8
librygel-devel-0.40.1-1.mga8
librygel-ruih2.0_2-0.40.1-1.mga8
librygel-gir2.6-0.40.1-1.mga8

from SRPM:
rygel-0.40.1-1.mga8.src.rpm

Keywords: (none) => advisory

Comment 6 Aurelien Oudelet 2021-04-12 16:06:33 CEST

oups, please read 8/core/updates_testing above Comment 5.

Comment 7 Mageia Robot 2021-04-12 22:02:20 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0179.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED