Bug#683044: marked as done (unblock: rhythmbox/2.97-2.1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#683044: marked as done (unblock: rhythmbox/2.97-2.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 28 Jul 2012 09:15:03 +0000
Message-id: <handler.683044.D683044.134346667920552.ackdone@bugs.debian.org>
References: <1343466591.18013.45.camel@jacala.jungle.funky-badger.org> <20120728015828.12032.9085.reportbug@Scott-Latitude-E6320>

Your message dated Sat, 28 Jul 2012 10:09:51 +0100
with message-id <1343466591.18013.45.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#683044: unblock: rhythmbox/2.97-2.1
has caused the Debian Bug report #683044,
regarding unblock: rhythmbox/2.97-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
683044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683044
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: rhythmbox/2.97-2.1
From: Scott Kitterman <debian@kitterman.com>
Date: Fri, 27 Jul 2012 21:58:28 -0400
Message-id: <20120728015828.12032.9085.reportbug@Scott-Latitude-E6320>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rhythmbox

Fixes RC/security bug #616673.

unblock rhythmbox/2.97-2.1

diff -Nru rhythmbox-2.97/debian/changelog rhythmbox-2.97/debian/changelog
--- rhythmbox-2.97/debian/changelog	2012-06-20 01:38:10.000000000 -0400
+++ rhythmbox-2.97/debian/changelog	2012-07-27 21:42:01.000000000 -0400
@@ -1,3 +1,18 @@
+rhythmbox (2.97-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Urgency high for security fix
+  * fix insecure directory for python module import in context plugin
+    (Closes: #616673)
+    - debian/patches/CVE-2012-3355.patch: update context plugin to use
+      tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas
+      Henriksson (used theUbuntu security fix instead of the upstream commit
+      because the upstream commit was a mix of functional changes and a
+      security fix))
+    - CVE-2012-3355
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 27 Jul 2012 16:41:52 -0400
+
 rhythmbox (2.97-2) unstable; urgency=low
 
   [ Jon Dowland ]
diff -Nru rhythmbox-2.97/debian/patches/CVE-2012-3355.patch rhythmbox-2.97/debian/patches/CVE-2012-3355.patch
--- rhythmbox-2.97/debian/patches/CVE-2012-3355.patch	1969-12-31 19:00:00.000000000 -0500
+++ rhythmbox-2.97/debian/patches/CVE-2012-3355.patch	2012-07-27 16:40:00.000000000 -0400
@@ -0,0 +1,100 @@
+Origin: http://bugzilla-attachments.gnome.org/attachment.cgi?id=218103
+Author: Andreas Henriksson <andreas@fatal.se>
+Description: use mkdtemp to securely create temp dir
+Bug: https://bugzilla.gnome.org/process_bug.cgi
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=835076
+
+Index: rhythmbox-2.96/plugins/context/AlbumTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/AlbumTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/AlbumTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -126,9 +126,9 @@
+         self.path = rb.find_plugin_file (self.plugin, 'tmpl/album-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+         self.album_template = Template (filename = self.path,
+-                                        module_directory = '/tmp/context')
++                                        module_directory = self.plugin.tempdir)
+         self.loading_template = Template (filename = self.loading_path, 
+-                                          module_directory = '/tmp/context')
++                                          module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def album_list_ready (self, ds):
+Index: rhythmbox-2.96/plugins/context/ArtistTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/ArtistTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/ArtistTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -123,8 +123,8 @@
+     def load_tmpl (self):
+         self.path = rb.find_plugin_file(self.plugin, 'tmpl/artist-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+-        self.template = Template (filename = self.path, module_directory = '/tmp/context/')
+-        self.loading_template = Template (filename = self.loading_path, module_directory = '/tmp/context')
++        self.template = Template (filename = self.path, module_directory = self.plugin.tempdir)
++        self.loading_template = Template (filename = self.loading_path, module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def connect_signals (self):
+Index: rhythmbox-2.96/plugins/context/context.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/context.py	2012-02-12 00:13:11.000000000 -0600
++++ rhythmbox-2.96/plugins/context/context.py	2012-07-09 10:53:07.000000000 -0500
+@@ -26,6 +26,10 @@
+ 
+ # vim:shiftwidth=4:softtabstop=4:expandtab
+ 
++from tempfile import mkdtemp
++from os.path import isdir
++from shutil import rmtree
++
+ import ContextView as cv
+ 
+ from gi.repository import GObject, Peas
+@@ -34,13 +38,17 @@
+ class ContextPlugin(GObject.Object, Peas.Activatable):
+     __gtype_name__ = 'ContextPlugin'
+     object = GObject.property(type=GObject.Object)
++    tempdir = None
+ 
+     def __init__ (self):
+         GObject.Object.__init__ (self)
+ 
+     def do_activate (self):
++        self.tempdir = mkdtemp(prefix = 'rb-context')
+         self.context_view = cv.ContextView (self.object, self)
+ 
+     def do_deactivate(self):
+         self.context_view.deactivate(self.object)
+         del self.context_view
++        if (isdir(self.tempdir)):
++            rmtree(self.tempdir)
+Index: rhythmbox-2.96/plugins/context/LinksTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/LinksTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/LinksTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -107,7 +107,7 @@
+         self.images = self.basepath + '/img/links/'
+         self.styles = self.basepath + '/tmpl/main.css'
+         self.template = Template (filename = self.path, 
+-                                  module_directory = '/tmp/context/')
++                                  module_directory = self.plugin.tempdir)
+ 
+         self.file = self.template.render (error      = ds.get_error (),
+                                           artist     = ds.get_artist(),
+Index: rhythmbox-2.96/plugins/context/LyricsTab.py
+===================================================================
+--- rhythmbox-2.96.orig/plugins/context/LyricsTab.py	2012-03-10 04:22:26.000000000 -0600
++++ rhythmbox-2.96/plugins/context/LyricsTab.py	2012-07-09 10:53:07.000000000 -0500
+@@ -111,9 +111,9 @@
+         self.path = rb.find_plugin_file(self.plugin, 'tmpl/lyrics-tmpl.html')
+         self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html')
+         self.template = Template (filename = self.path, 
+-                                  module_directory = '/tmp/context/')
++                                  module_directory = self.plugin.tempdir)
+         self.loading_template = Template (filename = self.loading_path, 
+-                                          module_directory = '/tmp/context')
++                                          module_directory = self.plugin.tempdir)
+         self.styles = self.basepath + '/tmpl/main.css'
+ 
+     def lyrics_ready (self, ds, entry, lyrics):
diff -Nru rhythmbox-2.97/debian/patches/series rhythmbox-2.97/debian/patches/series
--- rhythmbox-2.97/debian/patches/series	2012-06-19 17:21:03.000000000 -0400
+++ rhythmbox-2.97/debian/patches/series	2012-07-27 16:40:37.000000000 -0400
@@ -1 +1,2 @@
 rb-mb5.patch
+CVE-2012-3355.patch

--- End Message ---

--- Begin Message ---

To: Scott Kitterman <debian@kitterman.com>, 683044-done@bugs.debian.org

Subject: Re: Bug#683044: unblock: rhythmbox/2.97-2.1

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 28 Jul 2012 10:09:51 +0100

Message-id: <1343466591.18013.45.camel@jacala.jungle.funky-badger.org>

In-reply-to: <20120728015828.12032.9085.reportbug@Scott-Latitude-E6320>

References: <20120728015828.12032.9085.reportbug@Scott-Latitude-E6320>
On Fri, 2012-07-27 at 21:58 -0400, Scott Kitterman wrote:
> Please unblock package rhythmbox
> 
> Fixes RC/security bug #616673.

Unblocked; thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#683044: unblock: rhythmbox/2.97-2.1
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: w3af (Re: pysvn: RC fix #678559 as new upstream release)
Next by Date: Bug#681196: marked as done (unblock: tryton-proteus/2.2.2-4)
Previous by thread: Bug#683044: unblock: rhythmbox/2.97-2.1
Next by thread: Bug#683052: unblock: pgbouncer/1.5.2-2
Index(es):
- Date
- Thread