Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#6593 - Warning on Amarok

Attached to Project: Arch Linux
Opened by DaNiMoTh (DaNiMoTh) - Wednesday, 14 March 2007, 13:34 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 08 April 2007, 06:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Damir Perisa (damir.perisa)
Architecture All
Severity Low
Priority Normal
Reported Version 0.7.2 Gimmick
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

- ------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#15
- ------------------------------------------------------------

Name: amarok-base
Date: 2007-03-14
Severity: Low
Warning #: 2007-#15

- ------------------------------------------------------------

Product Background
===================
Amarok is an advanced music player.


Problem Background
===================
The Magnatune component shipped with Amarok is vulnerable to the
injection of arbitrary shell code from a malicious Magnatune server.

Impact
==========
A compromised or malicious Magnatune server can remotely execute
arbitrary shell code with the rights of the user running Amarok on a
client that have previously registered for buying music.

Workaround
==========
Do not use the Magnatune component of Amarok.

Problem Packages
===================
Package: amarok-base
Repo: extra
Group: multimedia
Unsafe: <= 1.4.5-2
Safe: Only patched

Package Fix
===================

Patch amarok with this patch ( from SVN repo, formatted by our gentoo cousin :P ):
http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/amarok/files/amarok-1.4.5-magnatune.patch

====================

Unofficial ArchLinux Security Bug Tracker:
http://jjdanimoth.netsons.org/alsw.html

Reference(s)
===================

http://secunia.com/advisories/24159
CVE-2006-6979
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 08 April 2007, 06:58 GMT
Reason for closing:  Fixed
Comment by DaNiMoTh (DaNiMoTh) - Monday, 19 March 2007, 13:38 GMT
Number of ALSW is 19, not 15. Excuse me.
In cvs page I see the patch but isn't applied in PKGBUILD. Why?
Comment by Damir Perisa (damir.perisa) - Monday, 19 March 2007, 20:17 GMT
i added the patch but had not the time to build and release a new release... then it went to testing because of python and things... now it's finally again out of testing and i have again not the time to rebuild it - ah! i will forward it to some other dev.

Loading...