Security issues in cantata have been announced today:
The only solution is to remove the vulnerable D-Bus service.
Unfortunately, Mageia 6 is also affected as we have -DENABLE_REMOTE_DEVICES=ON.
CVEs have been assigned:
cantata new security issues in D-Bus service =>
cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0-2])
Updated cantata package fixes security vulnerabilities:
The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular
user can this way mount a CIFS filesystem anywhere, and not just beneath /home
by passing relative path components (CVE-2018-12559).
Arbitrary unmounts can be performed by regular users the same way
A regular user can inject additional mount options like file_mode= by
manipulating e.g. the domain parameter of the samba URL (CVE-2018-12561).
The wrapper script 'mount.cifs.wrapper' uses the shell to forward the
arguments to the actual mount.cifs binary. The shell evaluates wildcards which
can also be injected (CVE-2018-12562).
To fix these issues, the vulnerable D-Bus service has been removed.
Updated packages in core/updates_testing:
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues
There was no previous version of cantata on this laptop. so I had to go thru the setup. choosing basic configuration and the standard "Muziek" folder in the normal users home folder. It is also the pwd when launching cantata from the CLI
Cantata starts GUI complaining it cannot find "Personal", then I try to point it to the "Muziek" folder, and it crashes.
From the CLI:
QPixmap::scaled: Pixmap is a null pixmap
QSqlDatabase: QSQLITE driver not loaded
QSqlDatabase: available drivers:
Jul 01 10:43 : socket: Failed to bind to '/home/tester6/.local/share/cantata/mpd/socket': Address already in use
Jul 01 10:43 : errno: Failed to open /home/tester6/.cache/cantata/mpd/tag_cache: No such file or directory
Segmentatiefout (geheugendump gemaakt)
There is no sqlite installed on this laptop, and that is nowhere mentioned in the startup-configuration this is needed, so ????
I ran into the same thing. I installed libqt5-database-plugin-sqlite, I had sqlite installed, and it worked.
I installed this as an individual user ot as a shared resources (there are two options, I couldn't connect on the multi-user in first testing)
Other than dependency, it works as designed.
Tx Brian for the hint.
With this sqlite installed, cantate plays well local files as streams from internet radios. OK for me, if the sqlite thingy is not considered a problem for the highr powers in QA.
Advice from a lower power; maybe push this back to the maintainer to resolve the plugin dependency. When reassigned it should not need more testing - Herman and Brian have done enough.
The missing requires is not a regression, so doesn't block this update.
Adding the ok based on above comments.
Advisory committed to svn.
Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.