Ubuntu
amarok package

[CVE-2008-3699] Insecure creation of magnatune temp files

Bug #257993 reported by Jonathan Thomas
276
Affects Status Importance Assigned to Milestone
Amarok
Fix Released
Unknown
The Dell Mini Project
Confirmed
Undecided
Nicolas Valcarcel
amarok (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jonathan Thomas

Bug Description

A vulnerability was found in the creation of magnatune temporary files in amarok. A patch was made available from upstream. (Released with amarok 1.4.10)

References
    http://secunia.com/advisories/31418/
    http://www.securityfocus.com/bid/30662
    http://websvn.kde.org/?view=rev&revision=846626
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494765

Uploading a debdiff for hardy-security shortly.

CVE References

Revision history for this message
Jonathan Thomas (echidnaman) wrote :
Revision history for this message
Jonathan Thomas (echidnaman) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Thanks, we'll get this building for publication shortly.

Changed in amarok:
assignee: nobody → kees
status: New → In Progress
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in amarok:
status: Unknown → Fix Released
Revision history for this message
Andrew Ash (ash211) wrote :

How is the security fix release process coming along? I haven't seen amarok show up ubuntu.com/usn yet.

Changed in amarok:
importance: Low → Medium
Revision history for this message
Myriam Schweingruber (myriam) wrote :

This bug has been fixed in Amarok 1.4.10, available in the repos (backport IIRC) since quite a while.

Jamie Strandboge (jdstrand)
Changed in amarok:
assignee: kees → jdstrand
Jamie Strandboge (jdstrand)
Changed in amarok:
status: In Progress → Fix Released
assignee: nobody → jdstrand
status: New → Fix Committed
assignee: nobody → jdstrand
status: New → Fix Committed
assignee: jdstrand → echidnaman
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-657-1

Changed in amarok:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Nicola Ferralis (feranick) wrote :

AmaroK in the dell-mini custom repos is still in version 2:1.4.9.1-0ubuntu3 which is affected by a security vulnerability. A patch is already available in mainstream hardy-updates. Thus, this packaged should be ported in the dell-mini repos.

Changelog:

amarok (2:1.4.9.1-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: Insecure creation of magnatune temp files
  * Added kubuntu_99_security_mangatune_file_creator.diff patching
    amarok/src/magnatunebrowser/magnatunebrowser.cpp and
    amarok/src/magnatunebrowser/magnatunebrowser.h. Creates temp files
    correctly. From upstream.
  * References
    http://secunia.com/advisories/31418/
    http://www.securityfocus.com/bid/30662
    http://websvn.kde.org/?view=rev&revision=846626
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494765
    CVE-2008-3699

Nicolas Valcarcel (nvalcarcel)
Changed in dell-mini:
assignee: nobody → nvalcarcel
Nicola Ferralis (feranick)
Changed in dell-mini:
status: New → Confirmed
Nicolas Valcarcel (nvalcarcel)
Changed in dell-mini:
status: Confirmed → In Progress
status: In Progress → Fix Released
Revision history for this message
Nicola Ferralis (feranick) wrote :

Is this bug being really fixed on the dell mini? As I read a fix has been released, in reality I am still running the unpatched version 1.4.9.1-0ubuntu3, with no available update (in weeks).

Any insight of the status of the fix is highly appreciated.

Revision history for this message
Nicolas Valcarcel (nvalcarcel) wrote :

Really? Marking as Confirmed until it's checked. That should be pushed long ago.

Changed in dell-mini:
status: Fix Released → Confirmed
Revision history for this message
Nicola Ferralis (feranick) wrote :

KDE has been updated to 3.5.10 in ubuntu-mini but amarok is still in the old version unpatched 1.4.9.1-0ubuntu3, based on KDE 3.5.9.

Revision history for this message
Andrew Ash (ash211) wrote :

Nicolas, what's the status of Amarok on the Dell Mini Project? It's been a while, surely the update has gone through by now so we can finally close the bug targeted at the Dell Mini Project.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.