Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1253 Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. CVE-2009-1254 Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL.
Created attachment 187655 [details, diff] tunapie-CVE-2009-1253+1254.patch
Ubuntu bug: https://bugs.launchpad.net/bugs/314591
CVE-2009-1253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1253): James Stone Tunapie 2.1 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file. CVE-2009-1254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1254): James Stone Tunapie 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a stream URL.
fixed in 2.1.16. Please bump.
(In reply to comment #4) > fixed in 2.1.16. Please bump. > Thanks Robert Bumped to 2.1.17 and removed old versions since there was no stable, please just close this if you agree that there is no need for glsa.
thanks, closing with no GLSA since it's ~arch.