Your message dated Sat, 28 Jul 2012 02:47:32 +0000
with message-id <[email protected]>
and subject line Bug#616673: fixed in rhythmbox 2.97-2.1
has caused the Debian Bug report #616673,
regarding rhythmbox-plugins: CVE-2012-3355 Plugin "context" contains hardcoded
path to /tmp/context/
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
616673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rhythmbox-plugins
Version: 0.13.3-2
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following files contain a hardcoded path to "/tmp/context/".
/usr/lib/rhythmbox/plugins/context/AlbumTab.py
/usr/lib/rhythmbox/plugins/context/ArtistTab.py
/usr/lib/rhythmbox/plugins/context/LinksTab.py
/usr/lib/rhythmbox/plugins/context/LyricsTab.py
This also makes it unclear if multi-user support is possible. Please
make the package obey at least $TMPDIR set by the libpam-tmpdir
package for example and/or make the directory dependend on the
username.
- -- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.utf8, LC_CTYPE=nl_NL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rhythmbox-plugins depends on:
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii libcairo2 1.10.2-4 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.4.6-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst
ii libexpat1 2.0.1-7 XML parsing C library - runtime li
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.28.1-6 GNOME configuration database syste
ii libglib2.0-0 2.28.1-1+b1 The GLib library of C routines
ii libgnome-media0 2.30.0-1 runtime libraries for the GNOME me
ii libgpod4 0.7.95-2 library to read and write songs an
ii libgstreamer-plugins-b 0.10.30-1 GStreamer libraries from the "base
ii libgstreamer0.10-0 0.10.30-1 Core GStreamer libraries and eleme
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libgudev-1.0-0 166-1 GObject-based wrapper library for
ii libice6 2:1.0.7-1 X11 Inter-Client Exchange library
ii libjson-glib-1.0-0 0.10.2-2 GLib JSON manipulation library
ii liblircclient0 0.8.3-5 infra-red remote control support -
ii libmtp8 1.0.6-1 Media Transfer Protocol (MTP) libr
ii libmusicbrainz4c2a 2.1.5-4 Second generation incarnation of t
ii libnotify1 [libnotify1 0.5.0-2 sends desktop notifications to a n
ii libpango1.0-0 1.28.3-1+squeeze1 Layout and rendering of internatio
ii libpython2.6 2.6.6-8+b1 Shared Python runtime library (ver
ii libsm6 2:1.2.0-1 X11 Session Management library
ii libsoup-gnome2.4-1 2.30.2-1 an HTTP library implementation in
ii libsoup2.4-1 2.30.2-1 an HTTP library implementation in
ii libtotem-plparser17 2.32.2-1 Totem Playlist Parser library - ru
ii libusb-0.1-4 2:0.1.12-17 userspace USB programming library
ii libwebkit-1.0-2 1.2.7-1 Web content engine library for Gtk
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
ii python-gnomekeyring 2.30.0-4+b1 Python bindings for the GNOME keyr
ii python-mako 0.4.0-1 fast and lightweight templating fo
ii python-support 1.0.11 automated rebuilding support for P
ii python-webkit 1.1.8-1 WebKit/Gtk Python bindings
ii rhythmbox 0.13.3-2 music player and organizer for GNO
ii zeitgeist-core 0.7-1 event logging framework - engine
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages rhythmbox-plugins recommends:
ii nautilus-sendto 2.28.4-2+b1 integrates Evolution and Pidgin in
rhythmbox-plugins suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk1zkwcACgkQH3+jt5Jjusqd1ACgqrp/DRCoevaYmRMJWh7hMFJb
+WcAoLaKndoaiu3eGYY3oRcxejusC6Dg
=NDgf
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: rhythmbox
Source-Version: 2.97-2.1
We believe that the bug you reported is fixed in the latest version of
rhythmbox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <[email protected]> (supplier of updated rhythmbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 27 Jul 2012 16:41:52 -0400
Source: rhythmbox
Binary: rhythmbox rhythmbox-data rhythmbox-dbg rhythmbox-plugins
rhythmbox-plugin-cdrecorder librhythmbox-core6 rhythmbox-dev rhythmbox-doc
gir1.2-rb-3.0
Architecture: source all i386
Version: 2.97-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Scott Kitterman <[email protected]>
Description:
gir1.2-rb-3.0 - GObject introspection data for the rhythmbox music player
librhythmbox-core6 - support library for the rhythmbox music player
rhythmbox - music player and organizer for GNOME
rhythmbox-data - data files for rhythmbox
rhythmbox-dbg - debugging symbols for rhythmbox
rhythmbox-dev - development files for the rhythmbox music player
rhythmbox-doc - documentation files for the rhythmbox music player
rhythmbox-plugin-cdrecorder - burning plugin for rhythmbox music player
rhythmbox-plugins - plugins for rhythmbox music player
Closes: 616673
Changes:
rhythmbox (2.97-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Urgency high for security fix
* fix insecure directory for python module import in context plugin
(Closes: #616673)
- debian/patches/CVE-2012-3355.patch: update context plugin to use
tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas
Henriksson (used theUbuntu security fix instead of the upstream commit
because the upstream commit was a mix of functional changes and a
security fix))
- CVE-2012-3355
Checksums-Sha1:
b2456aaecea812f9496616a726e03f26f658f4f0 3250 rhythmbox_2.97-2.1.dsc
be3aac4d50e7cd0d3b39ba6b35f124c68e893aa3 38440 rhythmbox_2.97-2.1.debian.tar.gz
77eb664f47e6e64ef142fda7201000ddd0c9fe6b 5327724
rhythmbox-data_2.97-2.1_all.deb
70c9c1a0366c7f84daccc1d30f9c9e29e539a74a 526956 rhythmbox-doc_2.97-2.1_all.deb
98c5161789414c2a69d52d8a9346c791579beb15 390944 rhythmbox_2.97-2.1_i386.deb
0e907f00919725a54e303f9ac3f1112ba8532117 3220030
rhythmbox-dbg_2.97-2.1_i386.deb
6b32df71c993989660f7855c6a31d6d35ac05b16 836856
rhythmbox-plugins_2.97-2.1_i386.deb
cf5781b813fb3d829e814195645c26e7d41fef1c 341404
rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
a5c0d947b812bb6ce53ab395ae38d88457df623e 859514
librhythmbox-core6_2.97-2.1_i386.deb
aae0add438a1e9e0d6b1cb1d914d7924ff24fe24 460942 rhythmbox-dev_2.97-2.1_i386.deb
40b409ba8e3c5bed1ba0d9e705201ef0ee7be834 369596 gir1.2-rb-3.0_2.97-2.1_i386.deb
Checksums-Sha256:
a906f35af4176d342a6aad33c2fe341cf2cf9bb6cde1fce58c9a6f38355d9a42 3250
rhythmbox_2.97-2.1.dsc
0d6bcd5babad4bdd933d1f8533f61312c6af13affad56d11838b0c6d9aaf3a09 38440
rhythmbox_2.97-2.1.debian.tar.gz
327a58d9625315bf3d2eeb6d6cb06a96ca0e7850513aa16fd6fb4f8d03cc2597 5327724
rhythmbox-data_2.97-2.1_all.deb
e6292034ea302cf89c2dba10fa883781ecba189990455fee0fa146f743fd6807 526956
rhythmbox-doc_2.97-2.1_all.deb
002992d438fe50e93b7b7f6d90ee18237224f9304914ec8a7b4a40459cd827ed 390944
rhythmbox_2.97-2.1_i386.deb
c5e3109cb9a13677d6936e6e18fe6a72a8653331255ceb088a0246bada0b4bf2 3220030
rhythmbox-dbg_2.97-2.1_i386.deb
e19356a351e3b93fbd7b42f7fd67f460c9d0a717c72102ceb1475f0119b0dfef 836856
rhythmbox-plugins_2.97-2.1_i386.deb
836531c5e444c76816ec35b46cf4c72cb1a453eba24bc490793e7ab7827020f0 341404
rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
f9aa9f7a9858782d0013ffa851cd850f2531fc2fab37d98f0bebebc26727243c 859514
librhythmbox-core6_2.97-2.1_i386.deb
9d9b2544a2d01dda0b57ce2a10362c181d3ceced29e5689e7a07cc8d28a8d61b 460942
rhythmbox-dev_2.97-2.1_i386.deb
a932906b20fae2fedeb0e6e3052991ece2011a5e9faad3660b1c5720ec60f3cd 369596
gir1.2-rb-3.0_2.97-2.1_i386.deb
Files:
4770878b05e119ca5ddfb7bd750dd0fe 3250 gnome optional rhythmbox_2.97-2.1.dsc
68686dfd6236b08f3bc73b9f759cea21 38440 gnome optional
rhythmbox_2.97-2.1.debian.tar.gz
406d46b606d69b9c1008d6baf0809e32 5327724 gnome optional
rhythmbox-data_2.97-2.1_all.deb
1abb378c4317ca68fc39b1c369f8b98b 526956 doc optional
rhythmbox-doc_2.97-2.1_all.deb
fe367488679ea839e0130100d895af7f 390944 gnome optional
rhythmbox_2.97-2.1_i386.deb
254a1c79fc439eab237d20df465c59f5 3220030 debug extra
rhythmbox-dbg_2.97-2.1_i386.deb
95329d1b1abde2aae510281df9a0ad1c 836856 gnome optional
rhythmbox-plugins_2.97-2.1_i386.deb
cfa33b9ab1433e4f03aabb9b8780c026 341404 gnome optional
rhythmbox-plugin-cdrecorder_2.97-2.1_i386.deb
c680a13f98db6023b7de9c1d4277e5af 859514 libs optional
librhythmbox-core6_2.97-2.1_i386.deb
eabafce9aae93f8297717dd24b36c22f 460942 libdevel optional
rhythmbox-dev_2.97-2.1_i386.deb
9f76bf09d1e9259a1926747269a0b826 369596 introspection optional
gir1.2-rb-3.0_2.97-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlATRaMACgkQHajaM93NaGrfvwCgkwfVAwQUyjT3SjPrTtZx3bC7
kIwAnjk7rhRhUF/QOaR4t7iYSOfH1GX8
=oNid
-----END PGP SIGNATURE-----
--- End Message ---
