Bug 28477 - rygel leaking contents of user's Documents directory
Summary: rygel leaking contents of user's Documents directory
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-27 20:25 CET by David Walser
Modified: 2021-04-12 22:02 CEST (History)
5 users (show)

See Also:
Source RPM: rygel-0.40.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-02-27 20:25:09 CET 
Fedora has issued an advisory on February 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NB4JXO5Y35UV7DFATHNU5W32UXE34RC/

The issue is fixed upstream in 0.40.1.
David Walser 2021-02-27 20:25:19 CET

Status comment: (none) => Fixed upstream in 0.40.1

Comment 1 Aurelien Oudelet 2021-02-28 20:59:04 CET 
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => olav, ouaurelien
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2021-03-01 15:59:11 CET 
Done for mga8!

CC: (none) => geiger.david68210

Comment 3 David Walser 2021-03-01 18:01:51 CET 
Package list:
rygel-0.40.1-1.mga8
librygel2.6_2-0.40.1-1.mga8
rygel-tracker-0.40.1-1.mga8
librygel-devel-0.40.1-1.mga8
librygel-ruih2.0_2-0.40.1-1.mga8
librygel-gir2.6-0.40.1-1.mga8

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 0.40.1 => (none)

Comment 4 Thomas Andrews 2021-04-10 05:16:17 CEST 
Not normally a Gnome user, nor do I stream media, but I'll give this a stab, anyway.

Upgraded a M7 Gnome vbox guest to M8. Saw that rygel was already installed, so used qarepo to get updates. No installation issues.

The user is supposed to create a rygel.conf file, but if that isn't done /etc/rygel.conf is used. So I ran "rygel" in a terminal. It couldn't find the file, but started checking for plugins and cataloging media folders. I closed the terminal and brought up another, running "rygel -h" for a bit of help. Then I ran "rygel --shutdown" which said the remote service had been shut down.

So I flirted a bit with the edges, enough to see it not crash. Calling that good enough. If it needs more, someone else will have to try it.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Comment 5 Aurelien Oudelet 2021-04-12 16:05:56 CEST 
Advisory:
========================

Updated rygel packages fix security vulnerability:

The rygel packages has been updated to version 0.40.1, fixing security
issue and other bugs.

References:
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NB4JXO5Y35UV7DFATHNU5W32UXE34RC/
 - https://bugzilla.redhat.com/show_bug.cgi?id=1931457
========================

Updated packages in 7/core/updates_testing:
========================
rygel-0.40.1-1.mga8
librygel2.6_2-0.40.1-1.mga8
rygel-tracker-0.40.1-1.mga8
librygel-devel-0.40.1-1.mga8
librygel-ruih2.0_2-0.40.1-1.mga8
librygel-gir2.6-0.40.1-1.mga8

from SRPM:
rygel-0.40.1-1.mga8.src.rpm

Keywords: (none) => advisory

Comment 6 Aurelien Oudelet 2021-04-12 16:06:33 CEST 
oups, please read 8/core/updates_testing above Comment 5.
Comment 7 Mageia Robot 2021-04-12 22:02:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0179.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.