Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 474010 - media-sound/spotify-0.9.1.55 version bump
Summary: media-sound/spotify-0.9.1.55 version bump
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Matthew Thode ( prometheanfire )
URL:
Whiteboard:
Keywords: EBUILD
: 475130 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-06-21 07:44 UTC by Lukas Polacek
Modified: 2013-10-13 01:52 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
spotify-0.9.1.55.ebuild (spotify-0.9.1.55.ebuild,4.74 KB, text/plain)
2013-06-21 07:45 UTC, Lukas Polacek
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Polacek 2013-06-21 07:44:23 UTC
New version of Spotify is available.

Reproducible: Always
Comment 1 Lukas Polacek 2013-06-21 07:45:28 UTC
Created attachment 351512 [details]
spotify-0.9.1.55.ebuild
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-06-21 13:06:26 UTC
Comment on attachment 351512 [details]
spotify-0.9.1.55.ebuild

--- spotify-0.9.0.133-r1.ebuild 2013-06-10 22:27:04.000000000 +0200
+++ -   2013-06-21 15:06:19.085604938 +0200
@@ -1,16 +1,15 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-sound/spotify/spotify-0.9.0.133-r1.ebuild,v 1.1 2013/06/10 20:27:04 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-sound/spotify/spotify-0.8.8.323-r2.ebuild,v 1.2 2013/03/23 19:59:15 vapier Exp $
 
 EAPI=4
 inherit eutils fdo-mime gnome2-utils pax-utils unpacker
 
 DESCRIPTION="Spotify is a social music platform"
 HOMEPAGE="https://www.spotify.com/ch-de/download/previews/"
-MY_PV="${PV}.gd18ed58.259-1"
+MY_PV="${PV}.gbdd3b79.203-1"
 MY_P="${PN}-client_${MY_PV}"
 SRC_BASE="http://repository.spotify.com/pool/non-free/${PN:0:1}/${PN}/"
-#SRC_BASE="http://download.spotify.com/preview/"
 SRC_URI="
        x86?   ( ${SRC_BASE}${MY_P}_i386.deb )
        amd64? ( ${SRC_BASE}${MY_P}_amd64.deb )
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-21 14:49:36 UTC
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify
Auto fixing rpaths for /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 *   /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify
 * 

Not packaging while it has a sec bug, let me see what I can do.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-24 20:00:15 UTC
making a note here

http://blog.tremily.us/posts/rpath/
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-30 22:48:50 UTC
*** Bug 475130 has been marked as a duplicate of this bug. ***
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-30 22:49:31 UTC
Upstream said they have a fix for the next release, hopefully soon...
Comment 7 James Cloos 2013-07-14 10:55:00 UTC
Note that the old version is not available.

Given the mirror restriction, the recent bump to -r1 is uninstallable.
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-15 00:52:40 UTC
sorry, I can't package something that has a sec vuln.  They have stated that they will release a new version soon, hopefully sooner rather then later.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2013-07-20 14:49:25 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #8)
> sorry, I can't package something that has a sec vuln.  They have stated that
> they will release a new version soon, hopefully sooner rather then later.

You can at least package it and package.mask it.  It is better than having a package that is completely uninstallable.
Comment 10 three sixes 2013-07-21 03:35:50 UTC
me too....

Fetch failed for 'media-sound/spotify-0.9.0.133-r1'

THANKS OBAMA....
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-21 04:25:00 UTC
I've commited the update (without keywords), but I'm going to leave this bug open until I get a good version from upstream.
Comment 12 Lukas Polacek 2013-07-21 07:39:02 UTC
prometheanfire: I work at Spotify and have access to some development versions. How do I check if this was fixed? Is it "scanelf -r"? What should be the output?
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-21 19:17:59 UTC
(In reply to Lukas Polacek from comment #12)
> prometheanfire: I work at Spotify and have access to some development
> versions. How do I check if this was fixed? Is it "scanelf -r"? What should
> be the output?

scanelf -F '%F:%r' -qBR "${ED}"

where "${ED}" is the variable containing your install image (the base / you wish to merge with the actual root dir)
Comment 14 Lukas Polacek 2013-07-22 20:12:15 UTC
The output is supposed to be empty, right? I get a line ending with "spotify:$ORIGIN:$ORIGIN/Data", so I guess this hasn't been fixed yet.
Comment 15 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-24 15:14:43 UTC
(In reply to Lukas Polacek from comment #14)
> The output is supposed to be empty, right? I get a line ending with
> "spotify:$ORIGIN:$ORIGIN/Data", so I guess this hasn't been fixed yet.

I have a better way for you to see if you fixed it.

run 'readelf -d $spotify-binary'

BAD
- 0x000000000000000f (RPATH)              Library rpath: [:$ORIGIN]
GOOD
+ 0x000000000000000f (RPATH)              Library rpath: [$ORIGIN]

This is typically an error in the build system if that helps.  See also http://blog.tremily.us/posts/rpath/
Comment 16 Lukas Polacek 2013-07-24 17:11:08 UTC
Alright, it's [$ORIGIN:$ORIGIN/Data], so there is no empty path. Let's hope we release a new public version soon.
Comment 17 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-24 17:20:06 UTC
sounds good to me :D