Language Selection

English French German Italian Portuguese Spanish

Responsible Disclosure, and Amarok 1.4.10

Filed under
Software

Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.

At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:

I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).

More Here




More in Tux Machines

The best Linux web hosting services of 2018

Linux hosting is everywhere. Whether you're looking for a simple shared hosting account or a powerful dedicated server, the chances are that you'll be offered a Linux-based option first. In many cases, you might not care. If your hosting needs are simple, you'll probably choose an account based on the allocated web space, bandwidth and similar features – the operating system is so far down most people's priority list that often it's not even mentioned in comparison tables. Read more

Security Leftovers

today's howtos

KaOS 2017.11 review - Chaotic and unfriendly

KaOS 2017.11 feels like a very buggy product. While I do like the Nvidia setup right from the start, this little gem is offset by pretty much everything else. Most other recent distros rarely had any issues with the LG RD510 laptop - apart from the ATA link reset on wake after suspend, which affects all of them - but KaOS is an exception to that rule with a rather depressing hardware record - Bluetooth, Wireless no-reconnect, smartphone support. And let's not even talk about Samba. The responsiveness was quite bad, Kaptan did not work, and I wasn't enjoying the visual side of things one bit. In fact, I really do not understand the eye-killing choices that go with the default theme. All in all, there are very few redeeming factors to KaOS. If you're looking for something avant-garde, the Arch-based Antergos or Manjaro fit the bill rather well. If you want mainstream, Mint or Ubuntu or whatever. This falls somewhere in between, with nothing amazing in return. 2/10. Perhaps next time. Read more