Language Selection

English French German Italian Portuguese Spanish

Responsible Disclosure, and Amarok 1.4.10

Filed under
Software

Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.

At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:

I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).

More Here




More in Tux Machines

SUSE Linux Enterprise High Availability Extension

Historically, data replication has been available only piecemeal through proprietary vendors. In a quest to remediate history, SUSE and partner LINBIT announced a solution that promises to change the economics of data replication. The two companies' collaborative effort is the headliner in the updated SUSE Linux Enterprise High Availability Extension, which now includes LINBIT's integrated geo-clustering technology. Read more

Tizen and Android

Open source is mission critical for Europe’s air traffic

It is entirely possible to use open source in a highly regulated environment such as air traffic control, says Dr Gerolf Ziegenhain, Head of Linux Competence & Service Centre (LCSC) in Mainz (Germany). Open source service providers can shield an organisation from the wide variety of development processes in the open source community. Read more

today's leftovers

  • DRM display resource leasing (kernel side)
    So, you've got a fine head-mounted display and want to explore the delights of virtual reality. Right now, on Linux, that means getting the window system to cooperate because the window system is the DRM master and holds sole access to all display resources. So, you plug in your device, play with RandR to get it displaying bits from the window system and then carefully configure your VR application to use the whole monitor area and hope that the desktop will actually grant you the boon of page flipping so that you will get reasonable performance and maybe not even experience tearing. Results so far have been mixed, and depend on a lot of pieces working in ways that aren't exactly how they were designed to work.
  • GUADEC accommodation
    At this year’s GUADEC in Manchester we have rooms available for you right at the venue in lovely modern student townhouses. As I write this there are still some available to book along with your registration. In a couple of days we have to a final numbers to the University for how many rooms we want, so it would help us out if all the folk who want a room there could register and book one now if you haven’t already done so! We’ll have some available for later booking but we have to pay up front for them now so we can’t reserve too many.
  • Kickstarter for Niryo One, open source 6-axis 3D printed robotic arm, doubles campaign goal
    A Kickstarter campaign for the Niryo One, an open source 3D printed 6-axis robotic arm, has more than doubled its €20,000 target after just a couple of days. The 3D printed robot is powered by Arduino, Raspberry Pi, and Robot Operating System.
  • Linux Action Show to End Eleven Year Run at LFNW
    Jupiter Broadcasting’s long-running podcast, Linux Action Show, will soon be signing off the air…er, fiber cable, for the last time. The show first streamed on June 10, 2006 and was hosted by “Linux Tycoon” Bryan Lunduke and Jupiter Broadcasting founder Chris Fisher. Lunduke left the show in 2012, replaced by Matt Hartley, who served as co-host for about three years. The show is currently hosted by Fisher and Noah Chelliah, president of Altispeed, an open source technology company located in Grand Forks, North Dakota.