Bug#683044: unblock: rhythmbox/2.97-2.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#683044: unblock: rhythmbox/2.97-2.1
From: Scott Kitterman <debian@kitterman.com>
Date: Fri, 27 Jul 2012 21:58:28 -0400
Message-id: <20120728015828.12032.9085.reportbug@Scott-Latitude-E6320>
Reply-to: Scott Kitterman <debian@kitterman.com>, 683044@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rhythmbox

Fixes RC/security bug #616673.

unblock rhythmbox/2.97-2.1

diff -Nru rhythmbox-2.97/debian/changelog rhythmbox-2.97/debian/changelog
--- rhythmbox-2.97/debian/changelog	2012-06-20 01:38:10.000000000 -0400
+++ rhythmbox-2.97/debian/changelog	2012-07-27 21:42:01.000000000 -0400
@@ -1,3 +1,18 @@
+rhythmbox (2.97-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Urgency high for security fix
+  * fix insecure directory for python module import in context plugin
+    (Closes: #616673)
+    - debian/patches/CVE-2012-3355.patch: update context plugin to use
+      tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas
+      Henriksson (used theUbuntu security fix instead of the upstream commit
+      because the upstream commit was a mix of functional changes and a
+      security fix))
+    - CVE-2012-3355
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 27 Jul 2012 16:41:52 -0400
+
 rhythmbox (2.97-2) unstable; urgency=low
 
   [ Jon Dowland ]
diff -Nru rhythmbox-2.97/debian/patches/CVE-2012-3355.patch rhythmbox-2.97/debian/patches/CVE-2012-3355.patch
--- rhythmbox-2.97/debian/patches/CVE-2012-3355.patch	1969-12-31 19:00:00.000000000 -0500
+++ rhythmbox-2.97/debian/patches/CVE-2012-3355.patch	2012-07-27 16:40:00.000000000 -0400
@@ -0,0 +1,100 @@
+Origin: http://bugzilla-attachments.gnome.org/attachment.cgi?id=218103
+Author: Andreas Henriksson <andreas@fatal.se>
+Description: use mkdtemp to securely create temp dir
+Bug: https://bugzilla.gnome.org/process_bug.cgi
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=835076
+
+Index: rhythmbox-2.96/plugins/context/AlbumTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/AlbumTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/AlbumTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -126,9 +126,9 @@
+         self.path = rb.find_plugin_file (self.plugin, 'tmpl/album-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+         self.album_template = Template (filename = self.path,
+-                                        module_directory = '/tmp/context')
++                                        module_directory = self.plugin.tempdir)
+         self.loading_template = Template (filename = self.loading_path, 
+-                                          module_directory = '/tmp/context')
++                                          module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def album_list_ready (self, ds):
+Index: rhythmbox-2.96/plugins/context/ArtistTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/ArtistTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/ArtistTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -123,8 +123,8 @@
+     def load_tmpl (self):
+         self.path = rb.find_plugin_file(self.plugin, 'tmpl/artist-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+-        self.template = Template (filename = self.path, module_directory = '/tmp/context/')
+-        self.loading_template = Template (filename = self.loading_path, module_directory = '/tmp/context')
++        self.template = Template (filename = self.path, module_directory = self.plugin.tempdir)
++        self.loading_template = Template (filename = self.loading_path, module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def connect_signals (self):
+Index: rhythmbox-2.96/plugins/context/context.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/context.py	2012-02-12 00:13:11.000000000 -0600
++++ rhythmbox-2.96/plugins/context/context.py	2012-07-09 10:53:07.000000000 -0500
+@@ -26,6 +26,10 @@
+ 
+ # vim:shiftwidth=4:softtabstop=4:expandtab
+ 
++from tempfile import mkdtemp
++from os.path import isdir
++from shutil import rmtree
++
+ import ContextView as cv
+ 
+ from gi.repository import GObject, Peas
+@@ -34,13 +38,17 @@
+ class ContextPlugin(GObject.Object, Peas.Activatable):
+     __gtype_name__ = 'ContextPlugin'
+     object = GObject.property(type=GObject.Object)
++    tempdir = None
+ 
+     def __init__ (self):
+         GObject.Object.__init__ (self)
+ 
+     def do_activate (self):
++        self.tempdir = mkdtemp(prefix = 'rb-context')
+         self.context_view = cv.ContextView (self.object, self)
+ 
+     def do_deactivate(self):
+         self.context_view.deactivate(self.object)
+         del self.context_view
++        if (isdir(self.tempdir)):
++            rmtree(self.tempdir)
+Index: rhythmbox-2.96/plugins/context/LinksTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/LinksTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/LinksTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -107,7 +107,7 @@
+         self.images = self.basepath + '/img/links/'
+         self.styles = self.basepath + '/tmpl/main.css'
+         self.template = Template (filename = self.path, 
+-                                  module_directory = '/tmp/context/')
++                                  module_directory = self.plugin.tempdir)
+ 
+         self.file = self.template.render (error      = ds.get_error (),
+                                           artist     = ds.get_artist(),
+Index: rhythmbox-2.96/plugins/context/LyricsTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/LyricsTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/LyricsTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -111,9 +111,9 @@
+         self.path = rb.find_plugin_file(self.plugin, 'tmpl/lyrics-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+         self.template = Template (filename = self.path, 
+-                                  module_directory = '/tmp/context/')
++                                  module_directory = self.plugin.tempdir)
+         self.loading_template = Template (filename = self.loading_path, 
+-                                          module_directory = '/tmp/context')
++                                          module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def lyrics_ready (self, ds, entry, lyrics):
diff -Nru rhythmbox-2.97/debian/patches/series rhythmbox-2.97/debian/patches/series
--- rhythmbox-2.97/debian/patches/series	2012-06-19 17:21:03.000000000 -0400
+++ rhythmbox-2.97/debian/patches/series	2012-07-27 16:40:37.000000000 -0400
@@ -1 +1,2 @@
 rb-mb5.patch
+CVE-2012-3355.patch

Reply to:

Follow-Ups:
- Bug#683044: marked as done (unblock: rhythmbox/2.97-2.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#682970: marked as done (unblock: ipadic/2.7.0+main-2)
Next by Date: Bug#683052: unblock: pgbouncer/1.5.2-2
Previous by thread: Bug#683043: marked as done (unblock: ipadic/2.7.0+main-3)
Next by thread: Bug#683044: marked as done (unblock: rhythmbox/2.97-2.1)
Index(es):
- Date
- Thread