Bug 6767

Summary: rhythmbox new security issue CVE-2012-3355 [mga1 & 2]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, fundawang, jani.valimaa, olav, pterjan, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/506566/
Whiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK
Source RPM: rhythmbox-2.96-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-07-12 20:38:26 CEST 
Ubuntu has issued an advisory on July 11:
http://www.ubuntu.com/usn/usn-1503-1/

It's an insecure temp file vulnerability.  Patch is available upstream:
https://bugzilla.gnome.org/show_bug.cgi?id=678661

It seems older versions past a certain point aren't vulnerable, but not sure what the cut off is.  Will need to investigate this for Mageia 1.
David Walser 2012-07-12 20:39:36 CEST

CC: (none) => olav
Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-07-12 20:39:53 CEST

CC: (none) => jani.valimaa

David Walser 2012-07-12 20:40:00 CEST

CC: (none) => fundawang

David Walser 2012-07-12 20:40:10 CEST

CC: (none) => pterjan

Comment 1 David Walser 2012-07-13 19:29:32 CEST 
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

To test this, you have to enable the Context plugin.  It appears that you have to log into a last.fm account to actually use it.

Advisory:
========================

Updated rhythmbox packages fix security vulnerability:

Hans Spaans discovered that the Context plugin in Rhythmbox created a
temporary directory in an insecure manner. A local attacker could exploit
this to execute arbitrary code as the user invoking the program. The
Context plugin is disabled by default in Ubuntu (CVE-2012-3355).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355
http://www.ubuntu.com/usn/usn-1503-1/
========================

Updated packages in core/updates_testing:
========================
rhythmbox-0.13.3-5.1.mga1
librhythmbox3-0.13.3-5.1.mga1
rhythmbox-mozilla-0.13.3-5.1.mga1
rhythmbox-upnp-0.13.3-5.1.mga1
rhythmbox-devel-0.13.3-5.1.mga1
rhythmbox-2.96-1.1.mga2
librhythmbox5-2.96-1.1.mga2
rhythmbox-mozilla-2.96-1.1.mga2
rhythmbox-devel-2.96-1.1.mga2
librhythmbox-gir3.0-2.96-1.1.mga2

from SRPMS:
rhythmbox-0.13.3-5.1.mga1.src.rpm
rhythmbox-2.96-1.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Manuel Hiebel 2012-07-15 15:41:01 CEST 
The patched rhythmbox and the plugin works fine in mga1 (also affected as debian squeeze)
For the advisory you can remove the line for ubuntu as this is useless for us.

Hardware: i586 => All
Summary: rhythmbox new security issue CVE-2012-3355 => rhythmbox new security issue CVE-2012-3355 [mga1 & 2]
Whiteboard: MGA1TOO => MGA1TOO, mga1-64-OK,

Comment 3 David Walser 2012-07-15 15:46:43 CEST 
(In reply to comment #2)
> For the advisory you can remove the line for ubuntu as this is useless for us.

No, that's where I got the advisory text from.
Comment 4 Samuel Verschelde 2012-07-21 13:01:16 CEST 
(In reply to comment #3)
> (In reply to comment #2)
> > For the advisory you can remove the line for ubuntu as this is useless for us.
> 
> No, that's where I got the advisory text from.

The reference should stay, but indeed "The Context plugin is disabled by default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it?

CC: (none) => stormi

Comment 5 David Walser 2012-07-21 18:05:05 CEST 
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > For the advisory you can remove the line for ubuntu as this is useless for us.
> > 
> > No, that's where I got the advisory text from.
> 
> The reference should stay, but indeed "The Context plugin is disabled by
> default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it?

Oh whoops.  Well the context plugin is disabled by default in Mageia as well, so we could leave that in and s/Ubuntu/Mageia/ or take it out.
Comment 6 Dave Hodgins 2012-07-22 01:50:13 CEST 
After creating an account at last.fm, rhythmbox is
working with the context plugin.

# lsof -n|grep rhyt|grep tmp
shows that all of the tmp files have random characters in the names.

Testing complete on Mageia 1 i586.

I'll test Mageia 2 i586 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO, mga1-64-OK, => MGA1TOO, mga1-64-OK, MGA1-32-OK

Comment 7 Dave Hodgins 2012-07-22 02:14:20 CEST 
Testing complete on Mageia 2 i586.

Whiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK

Comment 8 Samuel Verschelde 2012-07-23 17:04:10 CEST 
Testing complete on Mageia 2 64 bits.

Update validated. No linking needed. Thanks!

Advisory:
========================

Updated rhythmbox packages fix security vulnerability:

Hans Spaans discovered that the Context plugin in Rhythmbox created a
temporary directory in an insecure manner. A local attacker could exploit
this to execute arbitrary code as the user invoking the program. The
Context plugin is disabled by default in Mageia (CVE-2012-3355).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355
http://www.ubuntu.com/usn/usn-1503-1/
========================

Updated packages in core/updates_testing:
========================
rhythmbox-0.13.3-5.1.mga1
librhythmbox3-0.13.3-5.1.mga1
rhythmbox-mozilla-0.13.3-5.1.mga1
rhythmbox-upnp-0.13.3-5.1.mga1
rhythmbox-devel-0.13.3-5.1.mga1
rhythmbox-2.96-1.1.mga2
librhythmbox5-2.96-1.1.mga2
rhythmbox-mozilla-2.96-1.1.mga2
rhythmbox-devel-2.96-1.1.mga2
librhythmbox-gir3.0-2.96-1.1.mga2

from SRPMS:
rhythmbox-0.13.3-5.1.mga1.src.rpm
rhythmbox-2.96-1.1.mga2.src.rpm

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK

Comment 9 Thomas Backlund 2012-07-24 13:27:30 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0179

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED