Responsible Disclosure, and Amarok 1.4.10
Submitted by srlinuxx on Thursday 14th of August 2008 10:26:40 PM
Filed under
Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.
I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.
At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:
I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).
»
-
- Login or register to post comments
Printer-friendly version- 644 reads
PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
KTextEditorPreviewPlugin Reaches 0.1.0 and a Quick Look (Screenshots) at KDE Plasma 5.11
| Antergos 17.9 Gnome - Ghost riders in the Tux
Antergos 17.9 is a weird distro, full of polarities. It comes with a weak live session, and it does not really demo what it can do. The installer is good, robust, and if offers some neat tricks, including extra software and proprietary graphics driver. I'm really impressed by that. The installed system behaved reasonably, but with some oddities.
Hardware support isn't the best, most notably touchpad and what happened after waking from suspend. On the other hand, you get good smartphone and media support, a colorful and practical software selection, a moderately reasonable package manager with some tiny dependency hiccups, pretty looks, okay performance, and nowhere does it advertise its Archness. Much better than I expected, not as good as it should be. Well, taking everything into consideration, I guess it deserves something like 7.5/10. Antergos needs a livelier live session, more hardware love out of the box, and a handful of small tweaks around desktop usability. Shouldn't be too hard to nail. Worth watching.
|
LibreELEC (Krypton) v8.1.2 BETA
This is the third beta for our 8.2 release. It addresses minor findings related to the Samba bump: we now detect and avoid invalid Samba v3 configurations, old samba.conf.sample templates are overwritten with the new v4 template, and remote SMB shares are mounted using SMB2 or where possible SMB3. The release also adds support for the Raspberry Pi IQAudIO Digi+ board and a Xiaomi BT remote, and includes security fixes for the Blueborne Linux/BlueZ vulnerability. This is hopefully the final 8.1.x beta release; next will be 8.2.0.
| Android Leftovers
|
Content (where original) is available under CC-BY-SA, copyrighted by original author/s.
Recent comments
5 days 4 hours ago
1 week 12 min ago
1 week 1 day ago
1 week 5 days ago
1 week 6 days ago
2 weeks 6 days ago
3 weeks 10 hours ago
3 weeks 11 hours ago
3 weeks 17 hours ago
4 weeks 3 days ago