Language Selection

English French German Italian Portuguese Spanish

Responsible Disclosure, and Amarok 1.4.10

Filed under

Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.

At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:

I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).

More Here

More in Tux Machines

Android 6.0 Marshmallow review

Android, Google’s mobile operating system, has matured a lot over the past year. It’s running on 1.4 billion devices (up from 1 billion last year) and its most popular app store, Google Play, has more than 1 billion active users. In the last quarter, IDC estimates that Android held 82.8 percent of the global smartphone market. As its newest iteration, 6.0 Marshmallow, rolls out, Android’s going incredibly, undeniably strong. Read more

At the Heart of OpenStack Evolution

As it matures, OpenStack's parallel to Linux is clearer. Linux emerged 20 years ago as a somewhat exotic challenger to proprietary operating systems. Today, it is one of the most popular and widely used OSes. However, Linux still exists in a market of mixed use. It's likely that OpenStack will be subject to the same effect, becoming a viable option among a number of cloud infrastructures. Read more

GParted Live Gets the Latest Updates from Debian Sid

GParted Live, a small bootable GNU/Linux distribution for x86-based computers that can be used for creating, reorganizing, and deleting disk partitions, has been upgraded to version 0.23.0-2 and is now available for download. Read more

MATE-Desktop 1.11 Released, Working Towards MATE 1.12

MATE developers are currently working towards MATE 1.12. MATE 1.12 is expected to have full support for GTK3, initial support for Wayland, support for GNOME Account Servers, full support for systemd's logind, xf86-input-libinput driver support, and various other changes. The work-in-progress items can be found via the MATE-Desktop Roadmap. Read more