Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package rhythmbox Fixes RC/security bug #616673. unblock rhythmbox/2.97-2.1
diff -Nru rhythmbox-2.97/debian/changelog rhythmbox-2.97/debian/changelog --- rhythmbox-2.97/debian/changelog 2012-06-20 01:38:10.000000000 -0400 +++ rhythmbox-2.97/debian/changelog 2012-07-27 21:42:01.000000000 -0400 @@ -1,3 +1,18 @@ +rhythmbox (2.97-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Urgency high for security fix + * fix insecure directory for python module import in context plugin + (Closes: #616673) + - debian/patches/CVE-2012-3355.patch: update context plugin to use + tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas + Henriksson (used theUbuntu security fix instead of the upstream commit + because the upstream commit was a mix of functional changes and a + security fix)) + - CVE-2012-3355 + + -- Scott Kitterman <sc...@kitterman.com> Fri, 27 Jul 2012 16:41:52 -0400 + rhythmbox (2.97-2) unstable; urgency=low [ Jon Dowland ] diff -Nru rhythmbox-2.97/debian/patches/CVE-2012-3355.patch rhythmbox-2.97/debian/patches/CVE-2012-3355.patch --- rhythmbox-2.97/debian/patches/CVE-2012-3355.patch 1969-12-31 19:00:00.000000000 -0500 +++ rhythmbox-2.97/debian/patches/CVE-2012-3355.patch 2012-07-27 16:40:00.000000000 -0400 @@ -0,0 +1,100 @@ +Origin: http://bugzilla-attachments.gnome.org/attachment.cgi?id=218103 +Author: Andreas Henriksson <andr...@fatal.se> +Description: use mkdtemp to securely create temp dir +Bug: https://bugzilla.gnome.org/process_bug.cgi +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=835076 + +Index: rhythmbox-2.96/plugins/context/AlbumTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/AlbumTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/AlbumTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -126,9 +126,9 @@ + self.path = rb.find_plugin_file (self.plugin, 'tmpl/album-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') + self.album_template = Template (filename = self.path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.loading_template = Template (filename = self.loading_path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def album_list_ready (self, ds): +Index: rhythmbox-2.96/plugins/context/ArtistTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/ArtistTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/ArtistTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -123,8 +123,8 @@ + def load_tmpl (self): + self.path = rb.find_plugin_file(self.plugin, 'tmpl/artist-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') +- self.template = Template (filename = self.path, module_directory = '/tmp/context/') +- self.loading_template = Template (filename = self.loading_path, module_directory = '/tmp/context') ++ self.template = Template (filename = self.path, module_directory = self.plugin.tempdir) ++ self.loading_template = Template (filename = self.loading_path, module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def connect_signals (self): +Index: rhythmbox-2.96/plugins/context/context.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/context.py 2012-02-12 00:13:11.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/context.py 2012-07-09 10:53:07.000000000 -0500 +@@ -26,6 +26,10 @@ + + # vim:shiftwidth=4:softtabstop=4:expandtab + ++from tempfile import mkdtemp ++from os.path import isdir ++from shutil import rmtree ++ + import ContextView as cv + + from gi.repository import GObject, Peas +@@ -34,13 +38,17 @@ + class ContextPlugin(GObject.Object, Peas.Activatable): + __gtype_name__ = 'ContextPlugin' + object = GObject.property(type=GObject.Object) ++ tempdir = None + + def __init__ (self): + GObject.Object.__init__ (self) + + def do_activate (self): ++ self.tempdir = mkdtemp(prefix = 'rb-context') + self.context_view = cv.ContextView (self.object, self) + + def do_deactivate(self): + self.context_view.deactivate(self.object) + del self.context_view ++ if (isdir(self.tempdir)): ++ rmtree(self.tempdir) +Index: rhythmbox-2.96/plugins/context/LinksTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/LinksTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/LinksTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -107,7 +107,7 @@ + self.images = self.basepath + '/img/links/' + self.styles = self.basepath + '/tmpl/main.css' + self.template = Template (filename = self.path, +- module_directory = '/tmp/context/') ++ module_directory = self.plugin.tempdir) + + self.file = self.template.render (error = ds.get_error (), + artist = ds.get_artist(), +Index: rhythmbox-2.96/plugins/context/LyricsTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/LyricsTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/LyricsTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -111,9 +111,9 @@ + self.path = rb.find_plugin_file(self.plugin, 'tmpl/lyrics-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') + self.template = Template (filename = self.path, +- module_directory = '/tmp/context/') ++ module_directory = self.plugin.tempdir) + self.loading_template = Template (filename = self.loading_path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def lyrics_ready (self, ds, entry, lyrics): diff -Nru rhythmbox-2.97/debian/patches/series rhythmbox-2.97/debian/patches/series --- rhythmbox-2.97/debian/patches/series 2012-06-19 17:21:03.000000000 -0400 +++ rhythmbox-2.97/debian/patches/series 2012-07-27 16:40:37.000000000 -0400 @@ -1 +1,2 @@ rb-mb5.patch +CVE-2012-3355.patch