BTW, the CVE is misleading, there are ruby script fixes needed as well
as the unzip bug. Attached is a patch for the ruby fixes, which appear
to be in upstream 1.4.5 already.
--
Kees Cook @outflux.net
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/backupDatabase.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/backupDatabase.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/backupDatabase.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/backupDatabase.rb 2007-02-13 13:39:04.198770848 -0800
@@ -37,14 +37,12 @@
destination = $*[0] + "/"
unless FileTest.directory?( destination )
- error = "Error: Save destination must be a directory"
- `dcop amarok playlist popupMessage '#{error}'`
+ system("dcop", "amarok", "playlist", "popupMessage", "Error: Save destination must be a directory")
exit( 1 )
end
unless FileTest.writable_real?( destination )
- error = "Error: Destination directory not writable."
- `dcop amarok playlist popupMessage '#{error}'`
+ system("dcop", "amarok", "playlist", "popupMessage", "Error: Destination directory not writeable.")
exit( 1 )
end
@@ -68,14 +66,11 @@
db = `dcop amarok script readConfig MySqlDbName`.chomp!()
user = `dcop amarok script readConfig MySqlUser`.chomp!()
pass = `dcop amarok script readConfig MySqlPassword`.chomp!()
- `mysqldump -u #{user} -p#{pass} #{db} > #{dest}`
+ system("mysqldump", "-u", user, "-p", pass, db, "-r", dest);
when "2" # postgres
- error = "Sorry, postgresql database backups have not been implemented"
- `dcop amarok playlist popupMessage #{error}`
+ system("dcop", "amarok", "playlist", "popupMessage", "Sorry, postgresql database backups have not been implemented.")
exit( 1 )
end
-message = "Database backup saved to: #{destination}/#{filename}"
-`dcop amarok playlist popupMessage '#{message}'`
-
+system("dcop", "amarok", "playlist", "popupMessage", "Database backup saved to: #{destination}/#{filename}")
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/databaseScripts.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/databaseScripts.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/databaseScripts.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/databaseScripts.rb 2007-02-13 13:39:04.198770848 -0800
@@ -16,7 +16,7 @@
require 'Korundum'
rescue LoadError
error = 'Korundum (KDE bindings for ruby) from kdebindings v3.4 is required for this script.'
- `dcop amarok playlist popupMessage "DatabaseScripts: #{error}"`
+ system("dcop", "amarok", "playlist", "popupMessage", "DatabaseScripts: #{error}")
exit
end
@@ -103,7 +103,7 @@
filename = File.dirname( File.expand_path( __FILE__ ) ) + "/staleStatistics.rb"
end
- `ruby "#{filename}" "#{arg}"`
+ system("ruby", filename, arg)
done( 0 )
end
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/redoPodcasts.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/redoPodcasts.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/redoPodcasts.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/redoPodcasts.rb 2007-02-13 13:39:04.198770848 -0800
@@ -12,6 +12,6 @@
podcasts.each do |channel|
print "Adding podcast: #{channel}\n"
- `dcop amarok playlistbrowser addPodcast #{channel}`
+ system("dcop", "amarok", "playlistbrowser", "addPodcast", channel)
end
print "Done.\n"
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/staleAlbums.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleAlbums.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/staleAlbums.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleAlbums.rb 2007-02-13 13:39:04.202771047 -0800
@@ -5,30 +5,36 @@
# (c) 2006 Roland Gigler <[EMAIL PROTECTED]>
# License: GNU General Public License V2
-`dcop amarok playlist shortStatusMessage "Removing stale 'album' entries from the database"`
+class String
+ def shellquote
+ return "'" + self.gsub("'", "'\\\\''") + "'"
+ end
+end
+
+system("dcop", "amarok", "playlist", "shortStatusMessage", "Removing stale 'album' entries from the database")
-qresult = `dcop amarok collection query "SELECT id FROM album;"`
+qresult = `dcop amarok collection query #{"SELECT id FROM album;".shellquote}`
result = qresult.split( "\n" )
i = 0
result.each do |id|
print "Checking: #{id}, "
- qresult2 = `dcop amarok collection query "SELECT COUNT(*) FROM tags where album = #{id};"`
+ qresult2 = `dcop amarok collection query #{"SELECT COUNT(*) FROM tags where album = #{id};".shellquote}`
count = qresult2.chomp()
printf "count: %s", count
if count == "0"
i = i + 1
- qresult3 = `dcop amarok collection query "SELECT name FROM album where id = #{id} ;"`
+ qresult3 = `dcop amarok collection query #{"SELECT name FROM album where id = #{id} ;".shellquote}`
result3 = qresult3.split( "\n" )
puts "==>: Deleting: #{id}, #{result3}"
- `dcop amarok collection query "DELETE FROM album WHERE id = '#{id}'"`
+ system("dcop", "amarok", "collection", "query", "DELETE FROM album WHERE id = '#{id}'")
end
print "\n"
end
puts "removed #{i} albums."
if i > 0
- `dcop amarok playlist popupMessage "Removed #{i} stale 'album' entries from the database"`
+ system("dcop", "amarok", "playlist", "popupMessage", "Removed #{i.shellquote} stale 'album' entries from the database")
end
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/staleArtists.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleArtists.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/staleArtists.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleArtists.rb 2007-02-13 13:39:04.202771047 -0800
@@ -5,7 +5,7 @@
# (c) 2006 Roland Gigler <[EMAIL PROTECTED]>
# License: GNU General Public License V2
-`dcop amarok playlist shortStatusMessage "Removing stale 'artist' entries from the database"`
+system("dcop", "amarok", "playlist", "shortStatusMessage", "Removing stale 'artist' entries from the database")
qresult = `dcop amarok collection query "SELECT id FROM artist;"`
result = qresult.split( "\n" )
@@ -22,12 +22,12 @@
qresult3 = `dcop amarok collection query "SELECT name FROM artist where id = #{id} ;"`
result3 = qresult3.split( "\n" )
puts "==>: Deleting: #{id}, #{result3}"
- `dcop amarok collection query "DELETE FROM artist WHERE id = '#{id}'"`
+ system("dcop", "amarok", "collection", "query", "DELETE FROM artist WHERE id = '#{id}'")
end
end
puts "i: #{i}"
if i > 0
- `dcop amarok playlist popupMessage "Removed #{i} stale 'artist' entries from the database"`
+ system("dcop", "amarok", "playlist", "popupMessage", "Removed #{i} stale 'artist' entries from the database")
end
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/staleImages.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleImages.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/staleImages.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleImages.rb 2007-02-13 13:39:04.202771047 -0800
@@ -5,7 +5,7 @@
# (c) 2006 Roland Gigler <[EMAIL PROTECTED]>
# License: GNU General Public License V2
-`dcop amarok playlist shortStatusMessage "Removing stale 'images' entries from the database"`
+system("dcop", "amarok", "playlist", "shortStatusMessage", "Removing stale 'images' entries from the database")
qresult = `dcop amarok collection query "SELECT path FROM images;"`
result = qresult.split( "\n" )
@@ -18,10 +18,10 @@
i = i + 1
url.gsub!(/[']/, '\\\\\'')
puts "Deleting: #{url}"
- `dcop amarok collection query "DELETE FROM images WHERE path = '#{url}'"`
+ system("dcop", "amarok", "collection", "query", "DELETE FROM images WHERE path = '#{url}'")
end
end
if i > 0
- `dcop amarok playlist popupMessage "Removed #{i} stale 'images' entries from the database"`
+ system("dcop", "amarok", "playlist", "popupMessage" "Removed #{i} stale 'images' entries from the database")
end
diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/staleStatistics.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleStatistics.rb
--- amarok-1.4.3/amarok/src/scripts/databasescripts/staleStatistics.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleStatistics.rb 2007-02-13 13:39:04.202771047 -0800
@@ -4,7 +4,7 @@
# (c) 2005 Seb Ruiz <[EMAIL PROTECTED]>
# License: GNU General Public License V2
-`dcop amarok playlist shortStatusMessage "Removing stale entries from the database"`
+system("dcop", "amarok", "playlist", "shortStatusMessage", "Removing stale entries from the database")
qresult = `dcop amarok collection query "SELECT url FROM statistics;"`
result = qresult.split( "\n" )
@@ -16,10 +16,10 @@
i = i + 1
url.gsub!(/[']/, '\\\\\'')
puts "Deleting: #{url}"
- `dcop amarok collection query "DELETE FROM statistics WHERE url = '#{url}'"`
+ system("dcop", "amarok", "collection", "query", "DELETE FROM statistics WHERE url = '#{url}'")
end
end
if i > 0
- `dcop amarok playlist popupMessage "Removed #{i} stale entries from the database"`
-end
\ No newline at end of file
+ system("dcop", "amarok", "playlist", "popupMessage", "Removed #{i} stale entries from the database")
+end
diff -Nur amarok-1.4.3/amarok/src/scripts/mp3fix/mp3fixer.rb amarok-1.4.3.new/amarok/src/scripts/mp3fix/mp3fixer.rb
--- amarok-1.4.3/amarok/src/scripts/mp3fix/mp3fixer.rb 2006-09-04 19:42:40.000000000 -0700
+++ amarok-1.4.3.new/amarok/src/scripts/mp3fix/mp3fixer.rb 2007-02-13 13:39:04.202771047 -0800
@@ -15,15 +15,20 @@
def cleanup()
- `dcop amarok script removeCustomMenuItem #{MenuItemName}`
- `rm #{Dir.getwd()}/mp3fixer_playlist.m3u`
+ system("dcop", "amarok", "script", "removeCustomMenuItem", MenuItemName)
+ # use unlink ??!
+ system("rm", Dir.getwd() + "/mp3fixer_playlist.m3u")
end
+class String
+ def shellquote
+ return "'" + self.gsub("'", "'\\\\''") + "'"
+ end
+end
trap( "SIGTERM" ) { cleanup() }
-`dcop amarok script addCustomMenuItem #{MenuItemName}`
-
+system("dcop", "amarok", "script", "addCustomMenuItem", MenuItemName)
loop do
message = gets().chomp()
@@ -34,7 +39,7 @@
msg = 'Mp3Fixer does not have configuration options. Simply select a track in the '
msg += 'playlist, then start Mp3Fixer from the context-menu (right mouse click).'
- `dcop amarok playlist popupMessage "#{msg}"`
+ system("dcop", "amarok", "playlist", "popupMessage", msg)
when "customMenuClicked"
if message.include?( MenuItemName )
@@ -54,34 +59,34 @@
mp3fix = File.dirname( File.expand_path( __FILE__ ) ) + "/mp3fix.rb"
- `dcop amarok playlist shortStatusMessage "Mp3Fixer is analyzing the file '#{filename}'..."`
- output = `ruby #{mp3fix} "#{path}"`
+ system("dcop", "amarok", "playlist", "shortStatusMessage", "Mp3Fixer is analyzing the file '#{filename}'...")
+ output = `env ruby #{mp3fix.shellquote} #{path.shellquote}`
if $?.success?()
reg = Regexp.new( "MP3FIX REPAIR SUMMARY:.*", Regexp::MULTILINE )
report = reg.match( output ).to_s()
report.gsub!( "\n", "<BR/>" )
- `dcop amarok playlist popupMessage "#{report}"`
+ system("dcop", "amarok", "playlist", "popupMessage", report)
folders << File.dirname( path ) unless folders.include?( File.dirname( path ) )
else
reg = Regexp.new( "Error:.*", Regexp::MULTILINE )
errormsg = reg.match( output )
- `dcop amarok playlist popupMessage "Mp3Fixer #{errormsg}"`
+ system("dcop", "amarok", "playlist", "popupMessage", "Mp3Fixer #{errormsg}")
end
end
# Touch all folders of the modified files, so that the scanner picks then up
folders.each do |folder|
- `touch #{folder}`
+ system("touch", folder)
end
- `dcop amarok collection scanCollectionChanges`
+ system("dcop", "amarok", "collection", "scanCollectionChanges")
# Refresh the playlist
- `dcop amarok playlist saveM3u #{Dir.getwd()}/mp3fixer_playlist.m3u false`
- `dcop amarok playlist clearPlaylist`
- `dcop amarok playlist addMedia #{Dir.getwd()}/mp3fixer_playlist.m3u`
+ system("dcop", "amarok", "playlist", "saveM3u", Dir.getwd() + "/mp3fixer_playlist.m3u", "false")
+ system("dcop", "amarok", "playlist", "clearPlaylist")
+ system("dcop", "amarok", "playlist", "addMedia", Dir.getwd() + "/mp3fixer_playlist.m3u")
end
end
end
