[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE 2011-* Request -- rhythmbox (context plug-in): Insecure temporary directory u
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-06-25 17:04:59
Message-ID: 4FE89A3B.2020201 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/25/2012 07:36 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> An insecure temporary directory use flaw was found in the way 
> Rhythmbox, an integrated music management application based on the 
> powerful GStreamer media framework, performed loading of HTML
> template files, used for rendering of 'Album', 'Lyrics', and
> 'Artist' tabs. Previously the '/tmp/context' directory has been
> searched as module directory when loading the HTML template files.
> A local attacker could use this flaw to conduct symbolic link
> attacks (possibly leading to attacker's ability to execute
> arbitrary HTML template file in the context of user running the
> rhythmbox executable).
> 
> Upstream bug report: [1]
> https://bugzilla.gnome.org/show_bug.cgi?id=678661
> 
> References: [2]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673 [3]
> https://bugzilla.redhat.com/show_bug.cgi?id=835076
> 
> Please note the [2] bug has been reported / opened on: "Date: Sun,
> 06 Mar 2011 14:58:46 +0100" yet, so this should get a CVE-2011-*
> identifier. Could you allocate one?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-3355 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6Jo6AAoJEBYNRVNeJnmTw/MQALV9lNTYVGsaGF5DDvnqSyNT
i+EqGjSphdwMqjPMrvkRt30OHF9cQrfUcw5EwMGVfBpcI/OSZzSyZKrFDoW9EVxt
c+aLx19i457Qe2cmRaWW/UYvXSadlwyKaZpM9B+aVfw+rnRW9ElV+sswkc9iTvkV
MOz5Ytf3dBD6gf9XsM8cPGG9Cp4fLnkOErU3BVEJgJWM2i3GhxzWMvWTZJLBghvM
epF4im0QR+H2UzyJ34u4tZMxJ6SXrk2vRD7UD4b4KqpL7Hs44qIaMemCDoNXx9ig
uFjQZniH+5NIzWGrsHyrRncIKemLTeZ07cVjcj5AWwrkIT8ZNd9TM9YuG1JyyXMg
HInmzY3etSYyrJNAZmoxylQ7HGeB7cKLipKjfO5RzBwMvFaZXLrxVTVeXZORqBQm
XNN7SvOj9K+HT0f92ApLqUniBmgBqF8thZYlpGaAoZ9FvPkg08nhMhZP38ozlLet
wLrbPEoq8Y0AD9bfpDfum05OgIBRO+3O/yMEG8lyd9EUfM5Fmh+BpuDYzvn98ISx
RVD2O+3A4zwsx4hQ+kioQdH5W0KHTN49Oo9it4qvVE0e9VLALNs5b2oNUKiTWhLV
sObvjNuEqEB3fxXhhBsq3YBJEJqdhRMsvGvozVzfXmDR+gQqtumm5c5kMQnElTcQ
gZmj4ULU3d9tWoWhJMRb
=dMAJ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]