Bug 6767 - rhythmbox new security issue CVE-2012-3355 [mga1 & 2]
: rhythmbox new security issue CVE-2012-3355 [mga1 & 2]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506566/
: MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-12 20:38 CEST by David Walser
Modified: 2012-07-24 13:27 CEST (History)
8 users (show)

See Also:
Source RPM: rhythmbox-2.96-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-07-12 20:38:26 CEST
Ubuntu has issued an advisory on July 11:
http://www.ubuntu.com/usn/usn-1503-1/

It's an insecure temp file vulnerability.  Patch is available upstream:
https://bugzilla.gnome.org/show_bug.cgi?id=678661

It seems older versions past a certain point aren't vulnerable, but not sure what the cut off is.  Will need to investigate this for Mageia 1.
Comment 1 David Walser 2012-07-13 19:29:32 CEST
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

To test this, you have to enable the Context plugin.  It appears that you have to log into a last.fm account to actually use it.

Advisory:
========================

Updated rhythmbox packages fix security vulnerability:

Hans Spaans discovered that the Context plugin in Rhythmbox created a
temporary directory in an insecure manner. A local attacker could exploit
this to execute arbitrary code as the user invoking the program. The
Context plugin is disabled by default in Ubuntu (CVE-2012-3355).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355
http://www.ubuntu.com/usn/usn-1503-1/
========================

Updated packages in core/updates_testing:
========================
rhythmbox-0.13.3-5.1.mga1
librhythmbox3-0.13.3-5.1.mga1
rhythmbox-mozilla-0.13.3-5.1.mga1
rhythmbox-upnp-0.13.3-5.1.mga1
rhythmbox-devel-0.13.3-5.1.mga1
rhythmbox-2.96-1.1.mga2
librhythmbox5-2.96-1.1.mga2
rhythmbox-mozilla-2.96-1.1.mga2
rhythmbox-devel-2.96-1.1.mga2
librhythmbox-gir3.0-2.96-1.1.mga2

from SRPMS:
rhythmbox-0.13.3-5.1.mga1.src.rpm
rhythmbox-2.96-1.1.mga2.src.rpm
Comment 2 Manuel Hiebel 2012-07-15 15:41:01 CEST
The patched rhythmbox and the plugin works fine in mga1 (also affected as debian squeeze)
For the advisory you can remove the line for ubuntu as this is useless for us.
Comment 3 David Walser 2012-07-15 15:46:43 CEST
(In reply to comment #2)
> For the advisory you can remove the line for ubuntu as this is useless for us.

No, that's where I got the advisory text from.
Comment 4 Samuel Verschelde 2012-07-21 13:01:16 CEST
(In reply to comment #3)
> (In reply to comment #2)
> > For the advisory you can remove the line for ubuntu as this is useless for us.
> 
> No, that's where I got the advisory text from.

The reference should stay, but indeed "The Context plugin is disabled by default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it?
Comment 5 David Walser 2012-07-21 18:05:05 CEST
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > For the advisory you can remove the line for ubuntu as this is useless for us.
> > 
> > No, that's where I got the advisory text from.
> 
> The reference should stay, but indeed "The Context plugin is disabled by
> default in Ubuntu (CVE-2012-3355)." has no interest to Mageia users, has it?

Oh whoops.  Well the context plugin is disabled by default in Mageia as well, so we could leave that in and s/Ubuntu/Mageia/ or take it out.
Comment 6 Dave Hodgins 2012-07-22 01:50:13 CEST
After creating an account at last.fm, rhythmbox is
working with the context plugin.

# lsof -n|grep rhyt|grep tmp
shows that all of the tmp files have random characters in the names.

Testing complete on Mageia 1 i586.

I'll test Mageia 2 i586 shortly.
Comment 7 Dave Hodgins 2012-07-22 02:14:20 CEST
Testing complete on Mageia 2 i586.
Comment 8 Samuel Verschelde 2012-07-23 17:04:10 CEST
Testing complete on Mageia 2 64 bits.

Update validated. No linking needed. Thanks!

Advisory:
========================

Updated rhythmbox packages fix security vulnerability:

Hans Spaans discovered that the Context plugin in Rhythmbox created a
temporary directory in an insecure manner. A local attacker could exploit
this to execute arbitrary code as the user invoking the program. The
Context plugin is disabled by default in Mageia (CVE-2012-3355).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3355
http://www.ubuntu.com/usn/usn-1503-1/
========================

Updated packages in core/updates_testing:
========================
rhythmbox-0.13.3-5.1.mga1
librhythmbox3-0.13.3-5.1.mga1
rhythmbox-mozilla-0.13.3-5.1.mga1
rhythmbox-upnp-0.13.3-5.1.mga1
rhythmbox-devel-0.13.3-5.1.mga1
rhythmbox-2.96-1.1.mga2
librhythmbox5-2.96-1.1.mga2
rhythmbox-mozilla-2.96-1.1.mga2
rhythmbox-devel-2.96-1.1.mga2
librhythmbox-gir3.0-2.96-1.1.mga2

from SRPMS:
rhythmbox-0.13.3-5.1.mga1.src.rpm
rhythmbox-2.96-1.1.mga2.src.rpm
Comment 9 Thomas Backlund 2012-07-24 13:27:30 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0179

Note You need to log in before you can comment on or make changes to this bug.