[arch] [security] Alert on amarok fixed
JJDaNiMoTh
jjdanimoth at gmail.com
Tue Apr 10 09:56:40 EDT 2007
- ------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#15
- ------------------------------------------------------------
Name: amarok-base
Date: 2007-03-14
Severity: Low
Warning #: 2007-#15
- ------------------------------------------------------------
Product Background
===================
Amarok is an advanced music player.
Problem Background
===================
The Magnatune component shipped with Amarok is vulnerable to the
injection of arbitrary shell code from a malicious Magnatune server.
Impact
==========
A compromised or malicious Magnatune server can remotely execute
arbitrary shell code with the rights of the user running Amarok on a
client that have previously registered for buying music.
Workaround
==========
Do not use the Magnatune component of Amarok.
Problem Packages
===================
Package: amarok-base
Repo: extra
Group: multimedia
Unsafe: <= 1.4.5-2
Safe: Only patched
Package Fix
===================
Upgrade to amarok 1.4.5-5
<http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/amarok/files/amarok-1.4.5-magnatune.patch>
====================
Unofficial ArchLinux Security Bug Tracker:
http://jjdanimoth.netsons.org/alsw.html
Reference(s)
===================
http://secunia.com/advisories/24159
CVE-2006-6979
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://archlinux.org/pipermail/arch/attachments/20070410/c824c57d/attachment-0002.bin
More information about the arch
mailing list