Language Selection

English French German Italian Portuguese Spanish

Responsible Disclosure, and Amarok 1.4.10

Filed under
Software

Yesterday we released Amarok 1.4.10, an unanticipated security release. From the Release Anouncement you may notice that we gave thanks to Google Alerts for notifying us of this vulnerability. This was perfectly accurate.

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before. Here's where the bungling comes in.

At midnight Tuesday morning, Dwayne Litzenberger posts a bug report on the public Debian bug tracker with snippets of code from Amarok, and the following:

I'm not familiar enough with Qt to be sure, but it looks to me like the code creating a temporary file insecurely. At minimum, I think this code will break if another user has already created /tmp/album_info.xml (thus preventing the current user from deleting it).

More Here




More in Tux Machines

Linux Mint 18.1 Is The Best Mint Yet

The hardcore Linux geeks won’t read this article. They’ll skip right past it… They don’t like Linux Mint much. There’s a good reason for them not to; it’s not designed for them. Linux Mint is for folks who want a stable, elegant desktop operating system that they don’t want to have to constantly tinker with. Anyone who is into Linux will find Mint rather boring because it can get as close to the bleeding edge of computer technology. That said, most of those same hardcore geeks will privately tell you that they’ve put Linux Mint on their Mom’s computer and she just loves it. Linux Mint is great for Mom. It’s stable, offers everything she needs and its familiar UI is easy for Windows refugees to figure out. If you think of Arch Linux as a finicky, high-performance sports car then Linux Mint is a reliable station wagon. The kind of car your Mom would drive. Well, I have always liked station wagons myself and if you’ve read this far then I guess you do, too. A ride in a nice station wagon, loaded with creature comforts, cold blowing AC, and a good sound system can be very relaxing, indeed. Read more

Make Gnome 3 more accessible for everyday use

Gnome 3 is a desktop environment that was created to fix a problem that did not exist. Much like PulseAudio, Wayland and Systemd, it's there to give developers a job, while offering no clear benefit over the original problem. The Gnome 2 desktop was fast, lithe, simple, and elegant, and its replacement is none of that. Maybe the presentation layer is a little less busy and you can search a bit more quickly, but that's about as far as the list of advantages goes, which is a pretty grim result for five years of coding. Despite my reservation toward Gnome 3, I still find it to be a little bit more suitable for general consumption than in the past. Some of the silly early decisions have been largely reverted, and a wee bit more sane functionality added. Not enough. Which is why I'd like to take a moment or three to discuss some extra tweaks and changes you should add to this desktop environment to make it palatable. Read more

When to Use Which Debian Linux Repository

Nothing distinguishes the Debian Linux distribution so much as its system of package repositories. Originally organized into Stable, Testing, and Unstable, additional repositories have been added over the years, until today it takes more than a knowledge of a repository's name to understand how to use it efficiently and safely. Debian repositories are installed with a section called main that consists only of free software. However, by editing the file /etc/apt/sources.list, you can add contrib, which contains software that depends on proprietary software, and non-free, which contains proprietary software. Unless you choose to use only free software, contrib and non-free are especially useful for video and wireless drivers. You should also know that the three main repositories are named for characters from the Toy Story movies. Unstable is always called Sid, while the names of Testing and Stable change. When a new version of Debian is released, Testing becomes Stable, and the new version of Testing receives a name. These names are sometimes necessary for enabling a mirror site, but otherwise, ignoring these names gives you one less thing to remember. Read more

Today in Techrights