Security issues in cantata have been announced today: http://openwall.com/lists/oss-security/2018/06/18/1 The only solution is to remove the vulnerable D-Bus service. Unfortunately, Mageia 6 is also affected as we have -DENABLE_REMOTE_DEVICES=ON.
Whiteboard: (none) => MGA6TOO
CVEs have been assigned: http://openwall.com/lists/oss-security/2018/06/19/1
Summary: cantata new security issues in D-Bus service => cantata new security issues in D-Bus service (CVE-2018-12559, CVE-2018-1256[0-2])
Done!
Advisory: ======================== Updated cantata package fixes security vulnerabilities: The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can this way mount a CIFS filesystem anywhere, and not just beneath /home by passing relative path components (CVE-2018-12559). Arbitrary unmounts can be performed by regular users the same way (CVE-2018-12560). A regular user can inject additional mount options like file_mode= by manipulating e.g. the domain parameter of the samba URL (CVE-2018-12561). The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. The shell evaluates wildcards which can also be injected (CVE-2018-12562). To fix these issues, the vulnerable D-Bus service has been removed. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12560 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12561 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12562 http://openwall.com/lists/oss-security/2018/06/19/1 ======================== Updated packages in core/updates_testing: ======================== cantata-2.0.1-5.1.mga6 from cantata-2.0.1-5.1.mga6.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 6Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA6TOO => (none)
MGA6-32 on IBM Thinkpad R50e MATE No installation issues There was no previous version of cantata on this laptop. so I had to go thru the setup. choosing basic configuration and the standard "Muziek" folder in the normal users home folder. It is also the pwd when launching cantata from the CLI Cantata starts GUI complaining it cannot find "Personal", then I try to point it to the "Muziek" folder, and it crashes. From the CLI: $ cantata QPixmap::scaled: Pixmap is a null pixmap QSqlDatabase: QSQLITE driver not loaded QSqlDatabase: available drivers: Jul 01 10:43 : socket: Failed to bind to '/home/tester6/.local/share/cantata/mpd/socket': Address already in use Jul 01 10:43 : errno: Failed to open /home/tester6/.cache/cantata/mpd/tag_cache: No such file or directory Segmentatiefout (geheugendump gemaakt) There is no sqlite installed on this laptop, and that is nowhere mentioned in the startup-configuration this is needed, so ????
CC: (none) => herman.viaene
Hi Herman, I ran into the same thing. I installed libqt5-database-plugin-sqlite, I had sqlite installed, and it worked. I installed this as an individual user ot as a shared resources (there are two options, I couldn't connect on the multi-user in first testing) Other than dependency, it works as designed.
CC: (none) => brtians1
Tx Brian for the hint. With this sqlite installed, cantate plays well local files as streams from internet radios. OK for me, if the sqlite thingy is not considered a problem for the highr powers in QA.
Advice from a lower power; maybe push this back to the maintainer to resolve the plugin dependency. When reassigned it should not need more testing - Herman and Brian have done enough.
CC: (none) => tarazed25
The missing requires is not a regression, so doesn't block this update. Adding the ok based on above comments. Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0314.html
Status: NEW => RESOLVEDResolution: (none) => FIXED