Package: amarok Version: 1.4.9.1-2 Severity: normal Tags: security This was originally going to be a wishlist bug against the amarok package, suggesting that Amarok's "Magnatune Browser" download the 427 kB bzip2-compressed album list (from http://magnatune.com/info/album_info_xml.bz2) instead of the 11 MB uncompressed album list (from http://magnatune.com/info/album_info.xml).
I looked at the source code and found the following code (in
amarok/src/magnatunebrowser/magnatunebrowser.cpp). I'm not familiar enough
with Qt to be sure, but it looks to me like the code creating a temporary
file insecurely. At minimum, I think this code will break if another user
has already created /tmp/album_info.xml (thus preventing the current user
from deleting it).
--- START OF QUOTED CODE ---
void MagnatuneBrowser::listDownloadComplete( KIO::Job * downLoadJob )
{
if ( downLoadJob != m_listDownloadJob )
return ; //not the right job, so let's ignore it
m_updateListButton->setEnabled( true );
if ( !downLoadJob->error() == 0 )
{
//TODO: error handling here
return ;
}
KIO::StoredTransferJob* const storedJob =
static_cast<KIO::StoredTransferJob*>( downLoadJob );
QString list = QString( storedJob->data() );
QFile file( "/tmp/album_info.xml" );
if ( file.exists() )
file.remove();
if ( file.open( IO_WriteOnly ) )
{
QTextStream stream( &file );
stream << list;
file.close();
}
MagnatuneXmlParser * parser = new MagnatuneXmlParser(
"/tmp/album_info.xml" );
connect( parser, SIGNAL( doneParsing() ), SLOT( doneParsing() ) );
ThreadManager::instance() ->queueJob( parser );
}
--- END OF QUOTED CODE ---
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages amarok depends on:
ii amarok-common 1.4.9.1-2 architecture independent files for
ii amarok-engine-xine 1.4.9.1-2 Xine engine for the Amarok audio p
ii amarok-engine-yauap 1.4.9.1-2 Yauap engine for the Amarok audio
ii kdelibs4c2a 4:3.5.9.dfsg.1-6 core libraries and binaries for al
ii libc6 2.7-12 GNU C Library: Shared libraries
ii libgcc1 1:4.3.1-7 GCC support library
ii libgl1-mesa-glx [libgl1 7.0.3-5 A free implementation of the OpenG
ii libglib2.0-0 2.16.4-2 The GLib library of C routines
ii libgpod3 0.6.0-6 library to read and write songs an
ii libifp4 1.0.0.2-3 communicate with iRiver iFP audio
ii libkarma0 0.0.6-4 Rio Karma access library [runtime
ii libmtp7 0.2.6.1-3 Media Transfer Protocol (MTP) libr
ii libmysqlclient15off 5.0.51a-11 MySQL database client library
ii libnjb5 2.2.5-4.2 Creative Labs Nomad Jukebox librar
ii libpq5 8.3.3-1 PostgreSQL C client library
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libruby1.8 1.8.7.22-3 Libraries necessary to run Ruby 1.
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsqlite3-0 3.5.9-3 SQLite 3 shared library
ii libstdc++6 4.3.1-7 The GNU Standard C++ Library v3
ii libtag1c2a 1.5-3 TagLib Audio Meta-Data Library
ii libtunepimp5 0.5.3-7 MusicBrainz tagging library
ii libusb-0.1-4 2:0.1.12-12 userspace USB programming library
ii libvisual-0.4-0 0.4.0-2.1 Audio visualization framework
ii unzip 5.52-11 De-archiver for .zip files
Versions of packages amarok recommends:
ii amarok-konqsidebar 1.4.9.1-2 Amarok sidebar for konqueror 3.x.x
ii kdemultimedia-kio-plugins 4:3.5.9-2 enables the browsing of audio CDs
Versions of packages amarok suggests:
ii amarok-engines 1.4.9.1-2 output engines for the Amarok musi
ii dillo [www-browser] 0.8.6-3 Small and fast web browser
ii elinks [www-browser] 0.11.4-1+b1 advanced text-mode WWW browser
ii iceweasel [www-browser] 3.0.1-1 lightweight web browser based on M
ii konqueror [www-browser] 4:3.5.9.dfsg.1-4 KDE's advanced file manager, web b
ii libvisual-0.4-plugins 0.4.0.dfsg.1-2 Audio visualization framework plug
ii lynx-cur [www-browser] 2.8.7dev9-1.2 Text-mode WWW Browser with NLS sup
ii moodbar 0.1.2-2 Analysis program for creating a co
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
-- no debconf information
signature.asc
Description: Digital signature
