Bug#451303: marked as done (exaile: Exaile downloads and executes remote code)

Sun, 17 Aug 2008 09:56:24 -0700 

Your message dated Sun, 17 Aug 2008 16:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#451303: fixed in exaile 0.2.11.1+debian-2
has caused the Debian Bug report #451303,
regarding exaile: Exaile downloads and executes remote code
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
451303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451303
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: exaile
Version: 0.2.10+debian-1.1
Severity: important

*** Please type your report below this line ***

  The version of exaile in sid and lenny both contain plugin
 management code which basically boils down to:

    wget http://www.exaile.org/plugins/plugins.py?version=%s&plugin=%s
    chmod 755 plugin
    ./plugin

  In short they allow anybody with control over DNS to execute
 arbitrary python code on your machine - either if you decide to
 enable a new plugin, or if you have a plugin installed and use the
 'version checking' to automatically download a new version of something
 you've got installed.

  I'd, personally, love to see this code replaced with something
 more sane such as a exaile-plugins package which could use
 a local collection of plugins.

  As the package isn't in Etch I'll leave it at this report
 rather than raising a security bug.  But comments definitely
 welcome.

Steve
--
#  Kink-Friendly Dating
http://ctrl-alt-date.com/

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18.8-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages exaile depends on:
ii  gstreamer0.10-alsa           0.10.14-4   GStreamer plugin for ALSA
ii  gstreamer0.10-esd            0.10.6-3    GStreamer plugin for ESD
ii  gstreamer0.10-plugins-base   0.10.14-4   GStreamer plugins from the "base" 
ii  gstreamer0.10-plugins-good   0.10.6-3    GStreamer plugins from the "good" 
ii  libatk1.0-0                  1.20.0-1    The ATK accessibility toolkit
ii  libc6                        2.6.1-6     GNU C Library: Shared libraries
ii  libcairo2                    1.4.10-1+b2 The Cairo 2D vector graphics libra
ii  libfontconfig1               2.4.91-1    generic font configuration library
ii  libglib2.0-0                 2.14.3-1    The GLib library of C routines
ii  libgstreamer0.10-0           0.10.14-2   Core GStreamer libraries and eleme
ii  libgtk2.0-0                  2.12.1-2    The GTK+ graphical user interface 
ii  libpango1.0-0                1.18.3-1    Layout and rendering of internatio
ii  libx11-6                     2:1.0.3-7   X11 client-side library
ii  libxcursor1                  1:1.1.9-1   X cursor management library
ii  libxext6                     1:1.0.3-2   X11 miscellaneous extension librar
ii  libxfixes3                   1:4.0.3-2   X11 miscellaneous 'fixes' extensio
ii  libxi6                       2:1.1.3-1   X11 Input extension library
ii  libxinerama1                 1:1.0.2-1   X11 Xinerama extension library
ii  libxrandr2                   2:1.2.2-1   X11 RandR extension library
ii  libxrender1                  1:0.9.4-1   X Rendering Extension client libra
ii  python                       2.4.4-6     An interactive high-level object-o
ii  python-dbus                  0.82.3-1    simple interprocess messaging syst
ii  python-elementtree           1.2.6-11    Light-weight toolkit for XML proce
ii  python-glade2                2.12.0-1    GTK+ bindings: Glade support
ii  python-gst0.10               0.10.8-1    generic media-playing framework (P
ii  python-gtk2                  2.12.0-1    Python bindings for the GTK+ widge
ii  python-mutagen               1.11-1      audio metadata editing library
ii  python-pysqlite2             2.3.5-1     python interface to SQLite 3
ii  python-pyvorbis              1.3-1.2     A Python interface to the Ogg Vorb
ii  python-support               0.7.5       automated rebuilding support for p

Versions of packages exaile recommends:
ii  gstreamer0.10-plugins-ugly    0.10.6-2   GStreamer plugins from the "ugly" 
pn  python-cddb                   <none>     (no description available)
pn  python-gamin                  <none>     (no description available)
pn  python-gnome2-extras          <none>     (no description available)
pn  python-gpod                   <none>     (no description available)
pn  python-notify                 <none>     (no description available)
pn  streamripper                  <none>     (no description available)

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: exaile
Source-Version: 0.2.11.1+debian-2

We believe that the bug you reported is fixed in the latest version of
exaile, which is due to be installed in the Debian FTP archive:

exaile_0.2.11.1+debian-2.diff.gz
  to pool/main/e/exaile/exaile_0.2.11.1+debian-2.diff.gz
exaile_0.2.11.1+debian-2.dsc
  to pool/main/e/exaile/exaile_0.2.11.1+debian-2.dsc
exaile_0.2.11.1+debian-2_i386.deb
  to pool/main/e/exaile/exaile_0.2.11.1+debian-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Cécile (Le_Vert) <[EMAIL PROTECTED]> (supplier of updated exaile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Aug 2008 14:06:58 +0200
Source: exaile
Binary: exaile
Architecture: source i386
Version: 0.2.11.1+debian-2
Distribution: unstable
Urgency: low
Maintainer: François Févotte <[EMAIL PROTECTED]>
Changed-By: Adam Cécile (Le_Vert) <[EMAIL PROTECTED]>
Description: 
 exaile     - flexible audio player, similar to Amarok, but written in GTK+
Closes: 451303
Changes: 
 exaile (0.2.11.1+debian-2) unstable; urgency=low
 .
   * Add quilt patch system.
   * Merge patch from Eric Evans to disable remote plugin download
     (Closes: #451303).
   * Bump Standards-Version to 3.8.0.
Checksums-Sha1: 
 fd21a2d5c2af057742a37dc28b8205717c330c13 1198 exaile_0.2.11.1+debian-2.dsc
 84bf4a14b99f46b46437dd5b81d9354d02c8dad4 6112 exaile_0.2.11.1+debian-2.diff.gz
 62d6a798b305a1059c2e28a1f48519bd95f38436 663060 
exaile_0.2.11.1+debian-2_i386.deb
Checksums-Sha256: 
 8b0a318203d22c15d5b8169fed4e91033e918e0adf478acc6caf535bb239dac2 1198 
exaile_0.2.11.1+debian-2.dsc
 e3f19ab27ec79e34e7ba32c784a254929b9ca2b10b9c7d4b9e8d118199b3f2ba 6112 
exaile_0.2.11.1+debian-2.diff.gz
 6e1cb89ff34e2168046d3fc3321893cb4a6e7aea207c4be14eda99267a017904 663060 
exaile_0.2.11.1+debian-2_i386.deb
Files: 
 3ecde46489c434caa0b97249899c1002 1198 sound optional 
exaile_0.2.11.1+debian-2.dsc
 f1e8aa964b5202bd2a6701c1a6a2e612 6112 sound optional 
exaile_0.2.11.1+debian-2.diff.gz
 0a0d98019135a86af1c2eff602e18795 663060 sound optional 
exaile_0.2.11.1+debian-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEUEARECAAYFAkioT+cACgkQAQwuptkwlkQ3uwCUDzwWg7Ul6HR8iuT1rGeprGFe
cACdFNbpMCgC7JI2gzCkccACEIkzj3Y=
=0ylJ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to