Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427366

Summary: <media-sound/rhythmbox-0.12.8-r1: Insecure temporary file usage (CVE-2012-3355)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=835076
https://bugzilla.gnome.org/show_bug.cgi?id=678661
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-20 16:56:41 UTC 
CVE-2012-3355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3355):
  (1) AlbumTab.py, (2) ArtistTab.py, (3) LinksTab.py, and (4) LyricsTab.py in
  the Context module in GNOME Rhythmbox 0.13.3 and earlier allows local users
  to execute arbitrary code via a symlink attack on a temporary HTML template
  file in the /tmp/context directory.
Comment 1 Samuel Damashek (RETIRED) gentoo-dev 2013-12-22 06:26:00 UTC 
=media-plugins/rhythmbox-3.0.1 is stable in-tree, so if possible =media-sound/rhythmbox-0.12.8-r1 should be removed as it is affected. The only issue is rhythmbox-equalizer depends on 0.12.8 specifically, so if 0.12.8-r1 is removed, rhythmbox-equalizer-0.1.ebuild should be updated to accept any version of rhythmbox.
Comment 2 Pacho Ramos gentoo-dev 2014-05-31 11:24:40 UTC 
vulnerable versions were dropped time ago
Comment 3 Pacho Ramos gentoo-dev 2014-06-01 13:27:31 UTC 
rhythmbox-3.0.1 fixes this, stabilized in bug #478252
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-02-22 10:54:42 UTC 
vulnerable versions removed LONG ago as previous comment states.  Please proceed with a GLSA or closure.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-22 10:55:33 UTC 
vulnerable versions removed LONG ago as previous comment states.  Please proceed with a GLSA or closure.