Debian Bug report logs - #494765
amarok: Possible insecure temporary file creation?

version graph

Package: amarok; Maintainer for amarok is Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>; Source for amarok is src:amarok (PTS, buildd, popcon).

Reported by: Dwayne Litzenberger <dlitz@dlitz.net>

Date: Tue, 12 Aug 2008 00:12:01 UTC

Severity: normal

Tags: security

Found in version amarok/1.4.9.1-2

Fixed in versions amarok/1.4.10-1, amarok/1.90-1

Done: Modestas Vainius <modestas@vainius.eu>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>:
Bug#494765; Package amarok. (full text, mbox, link).


Acknowledgement sent to Dwayne Litzenberger <dlitz@dlitz.net>:
New Bug report received and forwarded. Copy sent to Modestas Vainius <modestas@vainius.eu>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dwayne Litzenberger <dlitz@dlitz.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: amarok: Possible insecure temporary file creation?
Date: Mon, 11 Aug 2008 20:10:09 -0400
[Message part 1 (text/plain, inline)]
Package: amarok
Version: 1.4.9.1-2
Severity: normal
Tags: security

This was originally going to be a wishlist bug against the amarok package, 
suggesting that Amarok's "Magnatune Browser" download the 427 kB 
bzip2-compressed album list (from 
http://magnatune.com/info/album_info_xml.bz2) instead of the 11 MB 
uncompressed album list (from http://magnatune.com/info/album_info.xml).

I looked at the source code and found the following code (in 
amarok/src/magnatunebrowser/magnatunebrowser.cpp).  I'm not familiar enough 
with Qt to be sure, but it looks to me like the code creating a temporary 
file insecurely.  At minimum, I think this code will break if another user 
has already created /tmp/album_info.xml (thus preventing the current user 
from deleting it).

--- START OF QUOTED CODE ---
void MagnatuneBrowser::listDownloadComplete( KIO::Job * downLoadJob )
{

     if ( downLoadJob != m_listDownloadJob )
         return ; //not the right job, so let's ignore it

     m_updateListButton->setEnabled( true );
     if ( !downLoadJob->error() == 0 )
     {
         //TODO: error handling here
         return ;
     }


     KIO::StoredTransferJob* const storedJob = static_cast<KIO::StoredTransferJob*>( downLoadJob );
     QString list = QString( storedJob->data() );


     QFile file( "/tmp/album_info.xml" );

     if ( file.exists() )
         file.remove();

     if ( file.open( IO_WriteOnly ) )
     {
         QTextStream stream( &file );
         stream << list;
         file.close();
     }


     MagnatuneXmlParser * parser = new MagnatuneXmlParser( "/tmp/album_info.xml" );
     connect( parser, SIGNAL( doneParsing() ), SLOT( doneParsing() ) );

     ThreadManager::instance() ->queueJob( parser );
}
--- END OF QUOTED CODE ---


-- System Information:
Debian Release: lenny/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages amarok depends on:
ii  amarok-common           1.4.9.1-2        architecture independent files for
ii  amarok-engine-xine      1.4.9.1-2        Xine engine for the Amarok audio p
ii  amarok-engine-yauap     1.4.9.1-2        Yauap engine for the Amarok audio 
ii  kdelibs4c2a             4:3.5.9.dfsg.1-6 core libraries and binaries for al
ii  libc6                   2.7-12           GNU C Library: Shared libraries
ii  libgcc1                 1:4.3.1-7        GCC support library
ii  libgl1-mesa-glx [libgl1 7.0.3-5          A free implementation of the OpenG
ii  libglib2.0-0            2.16.4-2         The GLib library of C routines
ii  libgpod3                0.6.0-6          library to read and write songs an
ii  libifp4                 1.0.0.2-3        communicate with iRiver iFP audio 
ii  libkarma0               0.0.6-4          Rio Karma access library [runtime 
ii  libmtp7                 0.2.6.1-3        Media Transfer Protocol (MTP) libr
ii  libmysqlclient15off     5.0.51a-11       MySQL database client library
ii  libnjb5                 2.2.5-4.2        Creative Labs Nomad Jukebox librar
ii  libpq5                  8.3.3-1          PostgreSQL C client library
ii  libqt3-mt               3:3.3.8b-5       Qt GUI Library (Threaded runtime v
ii  libruby1.8              1.8.7.22-3       Libraries necessary to run Ruby 1.
ii  libsdl1.2debian         1.2.13-2         Simple DirectMedia Layer
ii  libsqlite3-0            3.5.9-3          SQLite 3 shared library
ii  libstdc++6              4.3.1-7          The GNU Standard C++ Library v3
ii  libtag1c2a              1.5-3            TagLib Audio Meta-Data Library
ii  libtunepimp5            0.5.3-7          MusicBrainz tagging library
ii  libusb-0.1-4            2:0.1.12-12      userspace USB programming library
ii  libvisual-0.4-0         0.4.0-2.1        Audio visualization framework
ii  unzip                   5.52-11          De-archiver for .zip files

Versions of packages amarok recommends:
ii  amarok-konqsidebar            1.4.9.1-2  Amarok sidebar for konqueror 3.x.x
ii  kdemultimedia-kio-plugins     4:3.5.9-2  enables the browsing of audio CDs 

Versions of packages amarok suggests:
ii  amarok-engines          1.4.9.1-2        output engines for the Amarok musi
ii  dillo [www-browser]     0.8.6-3          Small and fast web browser
ii  elinks [www-browser]    0.11.4-1+b1      advanced text-mode WWW browser
ii  iceweasel [www-browser] 3.0.1-1          lightweight web browser based on M
ii  konqueror [www-browser] 4:3.5.9.dfsg.1-4 KDE's advanced file manager, web b
ii  libvisual-0.4-plugins   0.4.0.dfsg.1-2   Audio visualization framework plug
ii  lynx-cur [www-browser]  2.8.7dev9-1.2    Text-mode WWW Browser with NLS sup
ii  moodbar                 0.1.2-2          Analysis program for creating a co
ii  w3m [www-browser]       0.5.2-2+b1       WWW browsable pager with excellent

-- no debconf information
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>:
Bug#494765; Package amarok. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>. (full text, mbox, link).


Message #10 received at 494765@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Dwayne Litzenberger <dlitz@dlitz.net>
Cc: 494765@bugs.debian.org
Subject: Re: amarok: Possible insecure temporary file creation?
Date: Thu, 14 Aug 2008 00:35:04 +0200
Dwayne Litzenberger wrote:
> Package: amarok
> Version: 1.4.9.1-2
> Severity: normal
> Tags: security
> 
> I looked at the source code and found the following code (in 
> amarok/src/magnatunebrowser/magnatunebrowser.cpp).  I'm not familiar enough 
> with Qt to be sure, but it looks to me like the code creating a temporary 
> file insecurely.  At minimum, I think this code will break if another user 
> has already created /tmp/album_info.xml (thus preventing the current user 
> from deleting it).

I my test on Etch Amarok didn't dereference a symlink, so this doesn't
seem like a security problem.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>:
Bug#494765; Package amarok. (full text, mbox, link).


Acknowledgement sent to "David C. Manuelda" <stormbyte@gmail.com>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>. (full text, mbox, link).


Message #15 received at 494765@bugs.debian.org (full text, mbox, reply):

From: "David C. Manuelda" <stormbyte@gmail.com>
To: 494765@bugs.debian.org
Subject: fixed by amarok 1.4.10
Date: Thu, 14 Aug 2008 01:34:21 +0200
Any way, this bug has been fixed in amarok 1.4.10 as stated in 
http://amarok.kde.org/en/node/535/




Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>:
Bug#494765; Package amarok. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>. (full text, mbox, link).


Message #20 received at 494765@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 494765@bugs.debian.org
Subject: Re: amarok: Possible insecure temporary file creation?
Date: Fri, 15 Aug 2008 11:07:05 +0200
[Message part 1 (text/plain, inline)]
Hi,
could you attach an strace of the process to this bug 
report?

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Modestas Vainius <modestas@vainius.eu>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Dwayne Litzenberger <dlitz@dlitz.net>:
Bug acknowledged by developer. (full text, mbox, link).


Message #25 received at 494765-close@bugs.debian.org (full text, mbox, reply):

From: Modestas Vainius <modestas@vainius.eu>
To: 494765-close@bugs.debian.org
Subject: Bug#494765: fixed in amarok 1.4.10-1
Date: Fri, 15 Aug 2008 09:47:08 +0000
Source: amarok
Source-Version: 1.4.10-1

We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:

amarok-common_1.4.10-1_all.deb
  to pool/main/a/amarok/amarok-common_1.4.10-1_all.deb
amarok-dbg_1.4.10-1_amd64.deb
  to pool/main/a/amarok/amarok-dbg_1.4.10-1_amd64.deb
amarok-engine-xine_1.4.10-1_amd64.deb
  to pool/main/a/amarok/amarok-engine-xine_1.4.10-1_amd64.deb
amarok-engine-yauap_1.4.10-1_amd64.deb
  to pool/main/a/amarok/amarok-engine-yauap_1.4.10-1_amd64.deb
amarok-engines_1.4.10-1_all.deb
  to pool/main/a/amarok/amarok-engines_1.4.10-1_all.deb
amarok-konqsidebar_1.4.10-1_amd64.deb
  to pool/main/a/amarok/amarok-konqsidebar_1.4.10-1_amd64.deb
amarok_1.4.10-1.diff.gz
  to pool/main/a/amarok/amarok_1.4.10-1.diff.gz
amarok_1.4.10-1.dsc
  to pool/main/a/amarok/amarok_1.4.10-1.dsc
amarok_1.4.10-1_amd64.deb
  to pool/main/a/amarok/amarok_1.4.10-1_amd64.deb
amarok_1.4.10.orig.tar.gz
  to pool/main/a/amarok/amarok_1.4.10.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 494765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Modestas Vainius <modestas@vainius.eu> (supplier of updated amarok package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Aug 2008 21:35:56 +0300
Source: amarok
Binary: amarok amarok-common amarok-konqsidebar amarok-engines amarok-engine-xine amarok-engine-yauap amarok-dbg
Architecture: source all amd64
Version: 1.4.10-1
Distribution: unstable
Urgency: high
Maintainer: Modestas Vainius <modestas@vainius.eu>
Changed-By: Modestas Vainius <modestas@vainius.eu>
Description: 
 amarok     - versatile and easy to use audio player for KDE
 amarok-common - architecture independent files for Amarok
 amarok-dbg - debugging symbols for Amarok
 amarok-engine-xine - Xine engine for the Amarok audio player
 amarok-engine-yauap - Yauap engine for the Amarok audio player
 amarok-engines - output engines for the Amarok music player
 amarok-konqsidebar - Amarok sidebar for konqueror 3.x.x
Closes: 494765
Changes: 
 amarok (1.4.10-1) unstable; urgency=high
 .
   * New upstream release:
     - [Secunia SA31418] Fixes insecure temporary file creation
       (Closes: #494765).
   * Urgency high due to security fix.
Checksums-Sha1: 
 25807cb164f8df64bdd82445dc95343555e14365 1636 amarok_1.4.10-1.dsc
 01663bb604c00856c4f6df48e76054e2e98c2458 16338876 amarok_1.4.10.orig.tar.gz
 ea521bbf1050a3b3a260af6c68c7a68aaca177c2 112685 amarok_1.4.10-1.diff.gz
 9bf66b2139e0c4496eec1fdd7df3c0727b0d059b 11117398 amarok-common_1.4.10-1_all.deb
 db76b775a6a0b7cc55ab9bb8af072b2ff82a080c 70178 amarok-engines_1.4.10-1_all.deb
 1fda7c7a34b0eab12db9a25c6c786bb7951f59c4 2673730 amarok_1.4.10-1_amd64.deb
 1bb678bedc850cbbfd6a8f5ce1ecc2f99a8fdf9b 125502 amarok-konqsidebar_1.4.10-1_amd64.deb
 2d605823eb06519da5180267649a3c9f01beaba6 128194 amarok-engine-xine_1.4.10-1_amd64.deb
 6990f3ef99da50b0aa07fa696807e866283743c9 94802 amarok-engine-yauap_1.4.10-1_amd64.deb
 67bc10f62ada5ae89087f5d46a00332c15c5952c 11727836 amarok-dbg_1.4.10-1_amd64.deb
Checksums-Sha256: 
 c2886c0fe90838f67fe3b24e18fc4460d5617e0d67862921d7b896e7be3c2adc 1636 amarok_1.4.10-1.dsc
 5eee9fe892453e46bba02cf39daf3579c70fdcfc00ad35a5a5c15a20266a1396 16338876 amarok_1.4.10.orig.tar.gz
 9d4f9d8a2375759f858990ab663afdb631a298c26b0cadb11934d9e1c84b4f5c 112685 amarok_1.4.10-1.diff.gz
 0bab22fb38cd6283e9a24e319e27d0f6ffa5cbe5597dcf7b0e8d9e7e60e14ad8 11117398 amarok-common_1.4.10-1_all.deb
 705d25a53e525b34d44136918c507938cbd963dd3291c7eee911fa9b1e657872 70178 amarok-engines_1.4.10-1_all.deb
 535eacf796d932f6c4af85732864262cd7fbc3b6718485c2be42143e66caa858 2673730 amarok_1.4.10-1_amd64.deb
 461ee7d14d6fb8840d0382da8c7cc324ea05cfc1a2363efdd4b127d5a34ced5a 125502 amarok-konqsidebar_1.4.10-1_amd64.deb
 92b76b97989c9b549d8eefa559ee022d60b1029be34b7999970d165807dfabd7 128194 amarok-engine-xine_1.4.10-1_amd64.deb
 8bc18c5ce36173a48066a8b089284d45a15a158adda458c634184eda64665d3a 94802 amarok-engine-yauap_1.4.10-1_amd64.deb
 8bd2ee19f49634ac9b4c3ef6a5f25f1287fccce6a1f663d7298d6881982e9549 11727836 amarok-dbg_1.4.10-1_amd64.deb
Files: 
 9c43f303d9d54e39e48542dba6aab748 1636 kde optional amarok_1.4.10-1.dsc
 5bf5a876ada99d8992a6033d332b44c5 16338876 kde optional amarok_1.4.10.orig.tar.gz
 23850a7f52bead09582ed77e85a185c7 112685 kde optional amarok_1.4.10-1.diff.gz
 c60c76c7f0badf934ad053115f719dd6 11117398 kde optional amarok-common_1.4.10-1_all.deb
 fc2f77419180f8eb5796f290597653ce 70178 kde optional amarok-engines_1.4.10-1_all.deb
 8ad243b5cee169732df738de00d51adb 2673730 kde optional amarok_1.4.10-1_amd64.deb
 59fe0328fc846d82d6bdf7ed3354d1c8 125502 kde optional amarok-konqsidebar_1.4.10-1_amd64.deb
 d37ab01de0b294bd103bdf29535ce543 128194 kde optional amarok-engine-xine_1.4.10-1_amd64.deb
 0080e6956cb990ed9ed9aa498fba9034 94802 kde optional amarok-engine-yauap_1.4.10-1_amd64.deb
 c12d086b8ca681147642b9a90eb78807 11727836 kde extra amarok-dbg_1.4.10-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkikgpYACgkQHO9JRnPq4hSvQACgiB8RcotSytOoemsBA0X8uZ5i
1agAn3y4o4tNK0Rnm12jKQVIyDnsE4fX
=j4w0
-----END PGP SIGNATURE-----





Bug marked as fixed in version 1.90-1. Request was from Modestas Vainius <modestas@vainius.eu> to control@bugs.debian.org. (Sun, 07 Sep 2008 19:57:05 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 06 Oct 2008 07:30:21 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 03:10:51 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.