Language Selection

English French German Italian Portuguese Spanish

Responsible Disclosure, and Amarok 1.4.10

Filed under
Software

Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.

At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:

I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).

More Here




More in Tux Machines

GNOME and GTK News: GNOME Release and More

These are the most exciting Linux powered devices

What started off as a hobby project for the Finnish engineer Linus Torvalds, has turned into a global phenomenon. Today Linux is literally powering the modern economy – everything from Amazon public clouds, stock exchanges, and social networks run on Linux. It also runs in devices like sensors, printers, routers…and what not. Linux virtually owns the smartphone market with Android. Read more

FreeBSD News: 64-bit Inodes and KDE

  • FreeBSD Lands Support For 64-bit Inodes (ino64 Project)
    While Linux and other operating systems (including DragonFlyBSD) have supported 64-bit inodes for data structures on file-systems, FreeBSD has been limited to 32-bit. But thanks to the work of many on the ino64 project, FreeBSD now has support for 64-bit inodes while retaining backwards compatibility.
  • KDE FreeBSD CI (2)
    The KDE Continuous Integration system builds KDE software from scratch, straight from the git repositories, and usually from master (or whatever is considered the development branch). It’s been building for Linux for a long time, and has recently been expanded with FreeBSD servers as well. KDE sysadmin has been kind enough to provide two more VMs (with some more compiling “oomph”) so that we can keep up better, and the CI has just been expanded with all of the Plasma products. That means we’re now building KDE Frameworks, and the Plasma desktop.

Enlightenment 0.21.8

  • Enlightenment DR 0.21.8 Release
    This is another bugfix and stability release for the Enlightenment 21 Release series.
  • Enlightenment 0.21.8 Released
    Enlightenment 0.21.8 was released this week as the latest stable point release to the E21 series. Enlightenment 0.21.8 has a number of fixes, including some display fixes, avoid starting XWayland repeatedly, X11 and Wayland specific alterations, and other routine work.