From the NVD, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3998: The (1) banshee-1 and (2) muinshee scripts in Banshee 1.8.0 and earlier place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
Added upstream patch to fix this [1] in 1.8.0-r1 and removed 1.8.0 from tree. Is there anything else that needs to be done to mark this fixed? [1] http://git.gnome.org/browse/banshee/commit/?h=stable-1.8&id=835c37e99196303195c88932169b73e975115e52
Great, thank you, Arun. We also need to do stabilization, and since this is a security bug, we keep it open until we either publish a GLSA or decide we are not going to. Arches, please test and mark stable: =media-sound/banshee-1.8.0-r1 Target keywords : "amd64 x86"
Also: =media-plugins/banshee-community-extensions-1.8.0 will need to go stable as current stable doesn't work with banshee-1.8
(In reply to comment #3) > =media-plugins/banshee-community-extensions-1.8.0 This has a missing dependency lirc? ( app-misc/lirc ) Otherwise all fine. I'm ready to go on x86 as soon as you added it or told me to do it myself.
(In reply to comment #4) > Otherwise all fine. I'm ready to go on x86 as soon as you added it or told me > to do it myself. > Please add it yourself as I don't have much time right now (and thanks a lot for finding that missing dep)
Dependency added, x86 done.
ok on amd64!
(In reply to comment #3) > Also: > =media-plugins/banshee-community-extensions-1.8.0 > > will need to go stable as current stable doesn't work with banshee-1.8 > amd64 done. Thanks Agostino. @Pacho why don't you force this version inside the banshee ebuild?
Thanks, folks. GLSA Vote: Yes.
Vote: YES, glsa request filed.
CVE-2010-3998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3998): The (1) banshee-1 and (2) muinshee scripts in Banshee 1.8.0 and earlier place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. NOTE: Banshee might also be affected using GST_PLUGIN_PATH.
That version seems to be gone for a long time.
This issue was resolved and addressed in GLSA 201402-05 at http://security.gentoo.org/glsa/glsa-201402-05.xml by GLSA coordinator Sergey Popov (pinkbyte).
