Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 166901 - media-sound/amarok: remote exec of arbitrary code from a malicious server
Summary: media-sound/amarok: remote exec of arbitrary code from a malicious server
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: C1 or B2 [glsa]
: 167530 (view as bug list)
Depends on:
Blocks: 162118
  Show dependency tree
Reported: 2007-02-14 20:37 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-03-14 00:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 20:37:08 UTC
See , a malicious or compromised magnatune server could easily inject arbitrary shell commands on the client, when the client has registered for buying music.

Thanks to Diego who will push a fixed ebuild.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 20:39:23 UTC
Default conf + user complicity (B2), or non-default conf and without user complicity (C1).  --> there will be a GLSA
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-14 21:11:47 UTC
1.4.5-r1 there and ready.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 21:39:32 UTC
thanks diego :)

hi arches, could you test and mark amarok-1.4.5-r1 stable, please, thanks
Comment 4 Jason Wever (RETIRED) gentoo-dev 2007-02-14 23:38:17 UTC
is there a preferred version of mogrel to stablize?
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-15 08:26:19 UTC
amarok together with libgpod and libmtp x86 stable
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-15 08:45:25 UTC
and mongrel 1.0 as 1.0.1 is in the tree for only 15 days
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-15 18:13:15 UTC
sparc stable.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-02-17 08:54:33 UTC
I've just added ~ppc64 to 1.4.5-r1 so give it a few days before I mark it stable.

how would I test the mongrel part of amarok by the way?
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-18 20:48:28 UTC
*** Bug 167530 has been marked as a duplicate of this bug. ***
Comment 10 Malcolm Lashley (RETIRED) gentoo-dev 2007-02-19 22:47:04 UTC
amd64 (and a bunch of deps) stable.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-21 20:25:52 UTC
ppc stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-02-24 10:23:02 UTC
ppc64 stable
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-26 22:37:00 UTC
yeah good, glsa then
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:12:36 UTC
GLSA 200703-11, thanks everybody