Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 427366 - <media-sound/rhythmbox-0.12.8-r1: Insecure temporary file usage (CVE-2012-3355)
Summary: <media-sound/rhythmbox-0.12.8-r1: Insecure temporary file usage (CVE-2012-3355)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-20 16:56 UTC by GLSAMaker/CVETool Bot
Modified: 2016-03-23 09:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-20 16:56:41 UTC 
CVE-2012-3355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3355):
  (1) AlbumTab.py, (2) ArtistTab.py, (3) LinksTab.py, and (4) LyricsTab.py in
  the Context module in GNOME Rhythmbox 0.13.3 and earlier allows local users
  to execute arbitrary code via a symlink attack on a temporary HTML template
  file in the /tmp/context directory.
Comment 1 Samuel Damashek (RETIRED) gentoo-dev 2013-12-22 06:26:00 UTC 
=media-plugins/rhythmbox-3.0.1 is stable in-tree, so if possible =media-sound/rhythmbox-0.12.8-r1 should be removed as it is affected. The only issue is rhythmbox-equalizer depends on 0.12.8 specifically, so if 0.12.8-r1 is removed, rhythmbox-equalizer-0.1.ebuild should be updated to accept any version of rhythmbox.
Comment 2 Pacho Ramos gentoo-dev 2014-05-31 11:24:40 UTC 
vulnerable versions were dropped time ago
Comment 3 Pacho Ramos gentoo-dev 2014-06-01 13:27:31 UTC 
rhythmbox-3.0.1 fixes this, stabilized in bug #478252
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-02-22 10:54:42 UTC 
vulnerable versions removed LONG ago as previous comment states.  Please proceed with a GLSA or closure.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-22 10:55:33 UTC 
vulnerable versions removed LONG ago as previous comment states.  Please proceed with a GLSA or closure.