Nikolaus Schulz has reported a security issue in id3lib, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to the "RenderV2ToFile()" function in src/tag_file.cpp handling temporary files in an insecure manner. This can be exploited to execute arbitrary commands with escalated privileges (usually root user). The security issue is reported in version 3.8.3. Other versions may also be affected.
CC'ing maintainer and setting whiteboard status.
upstream is not available anymore, so I'm accepting patches.
(In reply to comment #2) > upstream is not available anymore, so I'm accepting patches. > Ignore this. Fixed in id3lib-3.8.3-r6.
Arches please test and mark stable. Target keywords are: id3lib-3.8.3-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86 ~x86-fbsd" @drac, I'm not familiar with id3lib but could you elaborate on the reported privilege escalation to root privileges?
(In reply to comment #4) > @drac, I'm not familiar with id3lib but could you elaborate on the reported > privilege escalation to root privileges? See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438540 for reference.
Rerating: [21:26] <jaervosz> drac: thx for the reference but I still fail to see why you should gain root privs by that? [21:27] <drac> jaervosz: users perhaps, but not roots for sure.. [21:28] <drac> jaervosz: perhaps as in dunno how one could manage even that. [21:28] <jaervosz> drac: thx, wasn't sure wether secunia just messed up something or I was overlooking something very trivial
Stable for HPPA.
sparc stable.
amd64 stable
ppc stable
x86 stable
alpha/ia64 stable
ppc64 stable
ready for glsa decision. I tend to vote YES.
I vote YES too.
mips stable.
ok, let's have a glsa on this one.
GLSA 200709-08 thanks everyone
