Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 284448

Summary: media-sound/rhythmbox: .pls DoS (CVE-2008-7185)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome, gstreamer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ddos-test.pls none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:35:10 UTC 
CVE-2008-7185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7185):
  GNOME Rhythmbox 0.11.5 allows remote attackers to cause a denial of
  service (segmentation fault and crash) via a playlist (.pls) file
  with a long Title field, possibly related to the g_hash_table_lookup
  function in b-playlist-manager.c.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-09-10 10:00:54 UTC 
The affected function has been removed two months before the vulnerability report:
http://git.gnome.org/cgit/rhythmbox/commit/?id=5d8c34c60b6d89c209da2afc3fd2bc62211785e6

It is still in 0.11.5, but not in 0.11.6. Can someone try to reproduce with our stable versions?
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-04-12 20:41:20 UTC 
Created attachment 227533 [details]
ddos-test.pls

due to a lack of known bad file I had to rely on a random try.
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-04-12 20:41:42 UTC 
0.12.* seems to be fine with the attache pls file.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 23:00:51 UTC 
Vulnerable versions are not in the tree anymore. 

GLSA Vote: no.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:18:07 UTC 
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.