Acknowledgement sent to Dwayne Litzenberger <dlitz@dlitz.net>:
New Bug report received and forwarded. Copy sent to Modestas Vainius <modestas@vainius.eu>.
(full text, mbox, link).
Package: amarok
Version: 1.4.9.1-2
Severity: normal
Tags: security
This was originally going to be a wishlist bug against the amarok package,
suggesting that Amarok's "Magnatune Browser" download the 427 kB
bzip2-compressed album list (from
http://magnatune.com/info/album_info_xml.bz2) instead of the 11 MB
uncompressed album list (from http://magnatune.com/info/album_info.xml).
I looked at the source code and found the following code (in
amarok/src/magnatunebrowser/magnatunebrowser.cpp). I'm not familiar enough
with Qt to be sure, but it looks to me like the code creating a temporary
file insecurely. At minimum, I think this code will break if another user
has already created /tmp/album_info.xml (thus preventing the current user
from deleting it).
--- START OF QUOTED CODE ---
void MagnatuneBrowser::listDownloadComplete( KIO::Job * downLoadJob )
{
if ( downLoadJob != m_listDownloadJob )
return ; //not the right job, so let's ignore it
m_updateListButton->setEnabled( true );
if ( !downLoadJob->error() == 0 )
{
//TODO: error handling here
return ;
}
KIO::StoredTransferJob* const storedJob = static_cast<KIO::StoredTransferJob*>( downLoadJob );
QString list = QString( storedJob->data() );
QFile file( "/tmp/album_info.xml" );
if ( file.exists() )
file.remove();
if ( file.open( IO_WriteOnly ) )
{
QTextStream stream( &file );
stream << list;
file.close();
}
MagnatuneXmlParser * parser = new MagnatuneXmlParser( "/tmp/album_info.xml" );
connect( parser, SIGNAL( doneParsing() ), SLOT( doneParsing() ) );
ThreadManager::instance() ->queueJob( parser );
}
--- END OF QUOTED CODE ---
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages amarok depends on:
ii amarok-common 1.4.9.1-2 architecture independent files for
ii amarok-engine-xine 1.4.9.1-2 Xine engine for the Amarok audio p
ii amarok-engine-yauap 1.4.9.1-2 Yauap engine for the Amarok audio
ii kdelibs4c2a 4:3.5.9.dfsg.1-6 core libraries and binaries for al
ii libc6 2.7-12 GNU C Library: Shared libraries
ii libgcc1 1:4.3.1-7 GCC support library
ii libgl1-mesa-glx [libgl1 7.0.3-5 A free implementation of the OpenG
ii libglib2.0-0 2.16.4-2 The GLib library of C routines
ii libgpod3 0.6.0-6 library to read and write songs an
ii libifp4 1.0.0.2-3 communicate with iRiver iFP audio
ii libkarma0 0.0.6-4 Rio Karma access library [runtime
ii libmtp7 0.2.6.1-3 Media Transfer Protocol (MTP) libr
ii libmysqlclient15off 5.0.51a-11 MySQL database client library
ii libnjb5 2.2.5-4.2 Creative Labs Nomad Jukebox librar
ii libpq5 8.3.3-1 PostgreSQL C client library
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libruby1.8 1.8.7.22-3 Libraries necessary to run Ruby 1.
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsqlite3-0 3.5.9-3 SQLite 3 shared library
ii libstdc++6 4.3.1-7 The GNU Standard C++ Library v3
ii libtag1c2a 1.5-3 TagLib Audio Meta-Data Library
ii libtunepimp5 0.5.3-7 MusicBrainz tagging library
ii libusb-0.1-4 2:0.1.12-12 userspace USB programming library
ii libvisual-0.4-0 0.4.0-2.1 Audio visualization framework
ii unzip 5.52-11 De-archiver for .zip files
Versions of packages amarok recommends:
ii amarok-konqsidebar 1.4.9.1-2 Amarok sidebar for konqueror 3.x.x
ii kdemultimedia-kio-plugins 4:3.5.9-2 enables the browsing of audio CDs
Versions of packages amarok suggests:
ii amarok-engines 1.4.9.1-2 output engines for the Amarok musi
ii dillo [www-browser] 0.8.6-3 Small and fast web browser
ii elinks [www-browser] 0.11.4-1+b1 advanced text-mode WWW browser
ii iceweasel [www-browser] 3.0.1-1 lightweight web browser based on M
ii konqueror [www-browser] 4:3.5.9.dfsg.1-4 KDE's advanced file manager, web b
ii libvisual-0.4-plugins 0.4.0.dfsg.1-2 Audio visualization framework plug
ii lynx-cur [www-browser] 2.8.7dev9-1.2 Text-mode WWW Browser with NLS sup
ii moodbar 0.1.2-2 Analysis program for creating a co
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>: Bug#494765; Package amarok.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>.
(full text, mbox, link).
Subject: Re: amarok: Possible insecure temporary file creation?
Date: Thu, 14 Aug 2008 00:35:04 +0200
Dwayne Litzenberger wrote:
> Package: amarok
> Version: 1.4.9.1-2
> Severity: normal
> Tags: security
>
> I looked at the source code and found the following code (in
> amarok/src/magnatunebrowser/magnatunebrowser.cpp). I'm not familiar enough
> with Qt to be sure, but it looks to me like the code creating a temporary
> file insecurely. At minimum, I think this code will break if another user
> has already created /tmp/album_info.xml (thus preventing the current user
> from deleting it).
I my test on Etch Amarok didn't dereference a symlink, so this doesn't
seem like a security problem.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>: Bug#494765; Package amarok.
(full text, mbox, link).
Acknowledgement sent to "David C. Manuelda" <stormbyte@gmail.com>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Modestas Vainius <modestas@vainius.eu>: Bug#494765; Package amarok.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Modestas Vainius <modestas@vainius.eu>.
(full text, mbox, link).
Hi,
could you attach an strace of the process to this bug
report?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: amarok
Source-Version: 1.4.10-1
We believe that the bug you reported is fixed in the latest version of
amarok, which is due to be installed in the Debian FTP archive:
amarok-common_1.4.10-1_all.deb
to pool/main/a/amarok/amarok-common_1.4.10-1_all.deb
amarok-dbg_1.4.10-1_amd64.deb
to pool/main/a/amarok/amarok-dbg_1.4.10-1_amd64.deb
amarok-engine-xine_1.4.10-1_amd64.deb
to pool/main/a/amarok/amarok-engine-xine_1.4.10-1_amd64.deb
amarok-engine-yauap_1.4.10-1_amd64.deb
to pool/main/a/amarok/amarok-engine-yauap_1.4.10-1_amd64.deb
amarok-engines_1.4.10-1_all.deb
to pool/main/a/amarok/amarok-engines_1.4.10-1_all.deb
amarok-konqsidebar_1.4.10-1_amd64.deb
to pool/main/a/amarok/amarok-konqsidebar_1.4.10-1_amd64.deb
amarok_1.4.10-1.diff.gz
to pool/main/a/amarok/amarok_1.4.10-1.diff.gz
amarok_1.4.10-1.dsc
to pool/main/a/amarok/amarok_1.4.10-1.dsc
amarok_1.4.10-1_amd64.deb
to pool/main/a/amarok/amarok_1.4.10-1_amd64.deb
amarok_1.4.10.orig.tar.gz
to pool/main/a/amarok/amarok_1.4.10.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 494765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Modestas Vainius <modestas@vainius.eu> (supplier of updated amarok package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Aug 2008 21:35:56 +0300
Source: amarok
Binary: amarok amarok-common amarok-konqsidebar amarok-engines amarok-engine-xine amarok-engine-yauap amarok-dbg
Architecture: source all amd64
Version: 1.4.10-1
Distribution: unstable
Urgency: high
Maintainer: Modestas Vainius <modestas@vainius.eu>
Changed-By: Modestas Vainius <modestas@vainius.eu>
Description:
amarok - versatile and easy to use audio player for KDE
amarok-common - architecture independent files for Amarok
amarok-dbg - debugging symbols for Amarok
amarok-engine-xine - Xine engine for the Amarok audio player
amarok-engine-yauap - Yauap engine for the Amarok audio player
amarok-engines - output engines for the Amarok music player
amarok-konqsidebar - Amarok sidebar for konqueror 3.x.x
Closes: 494765
Changes:
amarok (1.4.10-1) unstable; urgency=high
.
* New upstream release:
- [Secunia SA31418] Fixes insecure temporary file creation
(Closes: #494765).
* Urgency high due to security fix.
Checksums-Sha1:
25807cb164f8df64bdd82445dc95343555e14365 1636 amarok_1.4.10-1.dsc
01663bb604c00856c4f6df48e76054e2e98c2458 16338876 amarok_1.4.10.orig.tar.gz
ea521bbf1050a3b3a260af6c68c7a68aaca177c2 112685 amarok_1.4.10-1.diff.gz
9bf66b2139e0c4496eec1fdd7df3c0727b0d059b 11117398 amarok-common_1.4.10-1_all.deb
db76b775a6a0b7cc55ab9bb8af072b2ff82a080c 70178 amarok-engines_1.4.10-1_all.deb
1fda7c7a34b0eab12db9a25c6c786bb7951f59c4 2673730 amarok_1.4.10-1_amd64.deb
1bb678bedc850cbbfd6a8f5ce1ecc2f99a8fdf9b 125502 amarok-konqsidebar_1.4.10-1_amd64.deb
2d605823eb06519da5180267649a3c9f01beaba6 128194 amarok-engine-xine_1.4.10-1_amd64.deb
6990f3ef99da50b0aa07fa696807e866283743c9 94802 amarok-engine-yauap_1.4.10-1_amd64.deb
67bc10f62ada5ae89087f5d46a00332c15c5952c 11727836 amarok-dbg_1.4.10-1_amd64.deb
Checksums-Sha256:
c2886c0fe90838f67fe3b24e18fc4460d5617e0d67862921d7b896e7be3c2adc 1636 amarok_1.4.10-1.dsc
5eee9fe892453e46bba02cf39daf3579c70fdcfc00ad35a5a5c15a20266a1396 16338876 amarok_1.4.10.orig.tar.gz
9d4f9d8a2375759f858990ab663afdb631a298c26b0cadb11934d9e1c84b4f5c 112685 amarok_1.4.10-1.diff.gz
0bab22fb38cd6283e9a24e319e27d0f6ffa5cbe5597dcf7b0e8d9e7e60e14ad8 11117398 amarok-common_1.4.10-1_all.deb
705d25a53e525b34d44136918c507938cbd963dd3291c7eee911fa9b1e657872 70178 amarok-engines_1.4.10-1_all.deb
535eacf796d932f6c4af85732864262cd7fbc3b6718485c2be42143e66caa858 2673730 amarok_1.4.10-1_amd64.deb
461ee7d14d6fb8840d0382da8c7cc324ea05cfc1a2363efdd4b127d5a34ced5a 125502 amarok-konqsidebar_1.4.10-1_amd64.deb
92b76b97989c9b549d8eefa559ee022d60b1029be34b7999970d165807dfabd7 128194 amarok-engine-xine_1.4.10-1_amd64.deb
8bc18c5ce36173a48066a8b089284d45a15a158adda458c634184eda64665d3a 94802 amarok-engine-yauap_1.4.10-1_amd64.deb
8bd2ee19f49634ac9b4c3ef6a5f25f1287fccce6a1f663d7298d6881982e9549 11727836 amarok-dbg_1.4.10-1_amd64.deb
Files:
9c43f303d9d54e39e48542dba6aab748 1636 kde optional amarok_1.4.10-1.dsc
5bf5a876ada99d8992a6033d332b44c5 16338876 kde optional amarok_1.4.10.orig.tar.gz
23850a7f52bead09582ed77e85a185c7 112685 kde optional amarok_1.4.10-1.diff.gz
c60c76c7f0badf934ad053115f719dd6 11117398 kde optional amarok-common_1.4.10-1_all.deb
fc2f77419180f8eb5796f290597653ce 70178 kde optional amarok-engines_1.4.10-1_all.deb
8ad243b5cee169732df738de00d51adb 2673730 kde optional amarok_1.4.10-1_amd64.deb
59fe0328fc846d82d6bdf7ed3354d1c8 125502 kde optional amarok-konqsidebar_1.4.10-1_amd64.deb
d37ab01de0b294bd103bdf29535ce543 128194 kde optional amarok-engine-xine_1.4.10-1_amd64.deb
0080e6956cb990ed9ed9aa498fba9034 94802 kde optional amarok-engine-yauap_1.4.10-1_amd64.deb
c12d086b8ca681147642b9a90eb78807 11727836 kde extra amarok-dbg_1.4.10-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkikgpYACgkQHO9JRnPq4hSvQACgiB8RcotSytOoemsBA0X8uZ5i
1agAn3y4o4tNK0Rnm12jKQVIyDnsE4fX
=j4w0
-----END PGP SIGNATURE-----
Bug marked as fixed in version 1.90-1.
Request was from Modestas Vainius <modestas@vainius.eu>
to control@bugs.debian.org.
(Sun, 07 Sep 2008 19:57:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Oct 2008 07:30:21 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.