166901 – media-sound/amarok: remote exec of arbitrary code from a malicious server

Bug 166901 - media-sound/amarok: remote exec of arbitrary code from a malicious server

Summary: media-sound/amarok: remote exec of arbitrary code from a malicious server

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	C1 or B2 [glsa]
Keywords:

Duplicates (1):	167530 (view as bug list)
Depends on:
Blocks:	162118
	Show dependency tree

Reported:	2007-02-14 20:37 UTC by Raphael Marichez (Falco) (RETIRED)
Modified:	2007-03-14 00:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-14 20:37:08 UTC

See http://bugs.kde.org/show_bug.cgi?id=138499 , a malicious or compromised magnatune server could easily inject arbitrary shell commands on the client, when the client has registered for buying music.

Thanks to Diego who will push a fixed ebuild.

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-14 20:39:23 UTC

Default conf + user complicity (B2), or non-default conf and without user complicity (C1).  --> there will be a GLSA

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2007-02-14 21:11:47 UTC

1.4.5-r1 there and ready.

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-14 21:39:32 UTC

thanks diego :)


hi arches, could you test and mark amarok-1.4.5-r1 stable, please, thanks

Comment 4 Jason Wever (RETIRED) gentoo-dev

2007-02-14 23:38:17 UTC

is there a preferred version of mogrel to stablize?

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2007-02-15 08:26:19 UTC

amarok together with libgpod and libmtp x86 stable

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2007-02-15 08:45:25 UTC

and mongrel 1.0 as 1.0.1 is in the tree for only 15 days

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2007-02-15 18:13:15 UTC

sparc stable.

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2007-02-17 08:54:33 UTC

I've just added ~ppc64 to 1.4.5-r1 so give it a few days before I mark it stable.

how would I test the mongrel part of amarok by the way?

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2007-02-18 20:48:28 UTC

*** Bug 167530 has been marked as a duplicate of this bug. ***

Comment 10 Malcolm Lashley (RETIRED) gentoo-dev

2007-02-19 22:47:04 UTC

amd64 (and a bunch of deps) stable.

Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev

2007-02-21 20:25:52 UTC

ppc stable

Comment 12 Markus Rothe (RETIRED) gentoo-dev

2007-02-24 10:23:02 UTC

ppc64 stable

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-26 22:37:00 UTC

yeah good, glsa then

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-14 00:12:36 UTC

GLSA 200703-11, thanks everybody