Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284448 - media-sound/rhythmbox: .pls DoS (CVE-2008-7185)
Summary: media-sound/rhythmbox: .pls DoS (CVE-2008-7185)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-10 09:35 UTC by Alex Legler (RETIRED)
Modified: 2011-01-03 20:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
ddos-test.pls (ddos-test.pls,9.18 KB, text/plain)
2010-04-12 20:41 UTC, Gilles Dartiguelongue (RETIRED) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:35:10 UTC 
CVE-2008-7185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7185):
  GNOME Rhythmbox 0.11.5 allows remote attackers to cause a denial of
  service (segmentation fault and crash) via a playlist (.pls) file
  with a long Title field, possibly related to the g_hash_table_lookup
  function in b-playlist-manager.c.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-09-10 10:00:54 UTC 
The affected function has been removed two months before the vulnerability report:
http://git.gnome.org/cgit/rhythmbox/commit/?id=5d8c34c60b6d89c209da2afc3fd2bc62211785e6

It is still in 0.11.5, but not in 0.11.6. Can someone try to reproduce with our stable versions?
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-04-12 20:41:20 UTC 
Created attachment 227533 [details]
ddos-test.pls

due to a lack of known bad file I had to rely on a random try.
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-04-12 20:41:42 UTC 
0.12.* seems to be fine with the attache pls file.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 23:00:51 UTC 
Vulnerable versions are not in the tree anymore. 

GLSA Vote: no.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:18:07 UTC 
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.