Bug 23201 - cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0-2])
Summary: cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-06-19 02:15 CEST by David Walser
Modified: 2018-07-13 21:02 CEST (History)
6 users (show)

See Also:
Source RPM: cantata-2.3.1-1.mga7.src.rpm
Status comment:


Description David Walser 2018-06-19 02:15:43 CEST
Security issues in cantata have been announced today:

The only solution is to remove the vulnerable D-Bus service.

Unfortunately, Mageia 6 is also affected as we have -DENABLE_REMOTE_DEVICES=ON.
David Walser 2018-06-19 02:15:49 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-06-19 12:59:25 CEST
CVEs have been assigned:

Summary: cantata new security issues in D-Bus service => cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0-2])

Comment 2 David GEIGER 2018-06-19 16:08:53 CEST
Comment 3 David Walser 2018-06-20 13:18:47 CEST

Updated cantata package fixes security vulnerabilities:

The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular
user can this way mount a CIFS filesystem anywhere, and not just beneath /home
by passing relative path components (CVE-2018-12559).

Arbitrary unmounts can be performed by regular users the same way

A regular user can inject additional mount options like file_mode= by
manipulating e.g. the domain parameter of the samba URL (CVE-2018-12561).

The wrapper script 'mount.cifs.wrapper' uses the shell to forward the
arguments to the actual mount.cifs binary. The shell evaluates wildcards which
can also be injected (CVE-2018-12562).

To fix these issues, the vulnerable D-Bus service has been removed.


Updated packages in core/updates_testing:

from cantata-2.0.1-5.1.mga6.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 6
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-07-01 10:56:22 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues
There was no previous version of cantata on this laptop. so I had to go thru the setup. choosing basic configuration and the standard "Muziek" folder in the normal users home folder. It is also the pwd when launching cantata from the CLI
Cantata starts GUI  complaining it cannot find "Personal", then I try to point it to the "Muziek" folder, and it crashes.
From the CLI:
$ cantata 
QPixmap::scaled: Pixmap is a null pixmap
QSqlDatabase: QSQLITE driver not loaded
QSqlDatabase: available drivers: 
Jul 01 10:43 : socket: Failed to bind to '/home/tester6/.local/share/cantata/mpd/socket': Address already in use
Jul 01 10:43 : errno: Failed to open /home/tester6/.cache/cantata/mpd/tag_cache: No such file or directory
Segmentatiefout (geheugendump gemaakt)
There is no sqlite installed on this laptop, and that is nowhere mentioned in the startup-configuration this is needed, so ????

CC: (none) => herman.viaene

Comment 5 Brian Rockwell 2018-07-10 01:42:40 CEST
Hi Herman,
I ran into the same thing.  I installed libqt5-database-plugin-sqlite, I had sqlite installed, and it worked. 

I installed this as an individual user ot as a shared resources (there are two options, I couldn't connect on the multi-user in first testing)

Other than dependency, it works as designed.

CC: (none) => brtians1

Comment 6 Herman Viaene 2018-07-11 15:10:25 CEST
Tx Brian for the hint.
With this sqlite installed, cantate plays well local files as streams from internet radios. OK for me, if the sqlite thingy is not considered a problem for the highr powers in QA.
Comment 7 Len Lawrence 2018-07-12 11:53:09 CEST
Advice from a lower power; maybe push this back to the maintainer to resolve the plugin dependency.  When reassigned it should not need more testing - Herman and Brian have done enough.

CC: (none) => tarazed25

Comment 8 Dave Hodgins 2018-07-12 21:57:08 CEST
The missing requires is not a regression, so doesn't block this update.

Adding the ok based on above comments.
Advisory committed to svn.
Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2018-07-13 21:02:16 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.