Ubuntu has issued an advisory on July 11: http://www.ubuntu.com/usn/usn-1503-1/ It's an insecure temp file vulnerability. Patch is available upstream: https://bugzilla.gnome.org/show_bug.cgi?id=678661 It seems older versions past a certain point aren't vulnerable, but not sure what the cut off is. Will need to investigate this for Mageia 1.
CC: (none) => olavWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => jani.valimaa
CC: (none) => fundawang
CC: (none) => pterjan
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. To test this, you have to enable the Context plugin. It appears that you have to log into a last.fm account to actually use it. Advisory: ======================== Updated rhythmbox packages fix security vulnerability: Hans Spaans discovered that the Context plugin in Rhythmbox created a temporary directory in an insecure manner. A local attacker could exploit this to execute arbitrary code as the user invoking the program. The Context plugin is disabled by default in Ubuntu (CVE-2012-3355). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355 http://www.ubuntu.com/usn/usn-1503-1/ ======================== Updated packages in core/updates_testing: ======================== rhythmbox-0.13.3-5.1.mga1 librhythmbox3-0.13.3-5.1.mga1 rhythmbox-mozilla-0.13.3-5.1.mga1 rhythmbox-upnp-0.13.3-5.1.mga1 rhythmbox-devel-0.13.3-5.1.mga1 rhythmbox-2.96-1.1.mga2 librhythmbox5-2.96-1.1.mga2 rhythmbox-mozilla-2.96-1.1.mga2 rhythmbox-devel-2.96-1.1.mga2 librhythmbox-gir3.0-2.96-1.1.mga2 from SRPMS: rhythmbox-0.13.3-5.1.mga1.src.rpm rhythmbox-2.96-1.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
The patched rhythmbox and the plugin works fine in mga1 (also affected as debian squeeze) For the advisory you can remove the line for ubuntu as this is useless for us.
Hardware: i586 => AllSummary: rhythmbox new security issue CVE-2012-3355 => rhythmbox new security issue CVE-2012-3355 [mga1 & 2]Whiteboard: MGA1TOO => MGA1TOO, mga1-64-OK,
(In reply to comment #2) > For the advisory you can remove the line for ubuntu as this is useless for us. No, that's where I got the advisory text from.
(In reply to comment #3) > (In reply to comment #2) > > For the advisory you can remove the line for ubuntu as this is useless for us. > > No, that's where I got the advisory text from. The reference should stay, but indeed "The Context plugin is disabled by default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it?
CC: (none) => stormi
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > For the advisory you can remove the line for ubuntu as this is useless for us. > > > > No, that's where I got the advisory text from. > > The reference should stay, but indeed "The Context plugin is disabled by > default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it? Oh whoops. Well the context plugin is disabled by default in Mageia as well, so we could leave that in and s/Ubuntu/Mageia/ or take it out.
After creating an account at last.fm, rhythmbox is working with the context plugin. # lsof -n|grep rhyt|grep tmp shows that all of the tmp files have random characters in the names. Testing complete on Mageia 1 i586. I'll test Mageia 2 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO, mga1-64-OK, => MGA1TOO, mga1-64-OK, MGA1-32-OK
Testing complete on Mageia 2 i586.
Whiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK
Testing complete on Mageia 2 64 bits. Update validated. No linking needed. Thanks! Advisory: ======================== Updated rhythmbox packages fix security vulnerability: Hans Spaans discovered that the Context plugin in Rhythmbox created a temporary directory in an insecure manner. A local attacker could exploit this to execute arbitrary code as the user invoking the program. The Context plugin is disabled by default in Mageia (CVE-2012-3355). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355 http://www.ubuntu.com/usn/usn-1503-1/ ======================== Updated packages in core/updates_testing: ======================== rhythmbox-0.13.3-5.1.mga1 librhythmbox3-0.13.3-5.1.mga1 rhythmbox-mozilla-0.13.3-5.1.mga1 rhythmbox-upnp-0.13.3-5.1.mga1 rhythmbox-devel-0.13.3-5.1.mga1 rhythmbox-2.96-1.1.mga2 librhythmbox5-2.96-1.1.mga2 rhythmbox-mozilla-2.96-1.1.mga2 rhythmbox-devel-2.96-1.1.mga2 librhythmbox-gir3.0-2.96-1.1.mga2 from SRPMS: rhythmbox-0.13.3-5.1.mga1.src.rpm rhythmbox-2.96-1.1.mga2.src.rpm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0179
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED