Since this is a security fix that's been sitting around for a bit, I'm going to go ahead and upload the attached NMU diff. There are two possible patches available to resolve this issue. The initial one done by Ubuntu and the upstream one. Since the upstream patch also had some functional changes, the NMU is based on the Ubuntu patch (both resolved the security issue) to keep the changes to the minimum.
For the maintainers, of course I'm glad to have you do it the other way if you prefer, but I think it's better to at least get a security fix in the archive than not. Scott K
diff -Nru rhythmbox-2.97/debian/changelog rhythmbox-2.97/debian/changelog --- rhythmbox-2.97/debian/changelog 2012-06-20 01:38:10.000000000 -0400 +++ rhythmbox-2.97/debian/changelog 2012-07-27 21:42:01.000000000 -0400 @@ -1,3 +1,18 @@ +rhythmbox (2.97-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Urgency high for security fix + * fix insecure directory for python module import in context plugin + (Closes: #616673) + - debian/patches/CVE-2012-3355.patch: update context plugin to use + tempfile.mkdtemp() instead of /tmp/context. Patch thanks to Andreas + Henriksson (used theUbuntu security fix instead of the upstream commit + because the upstream commit was a mix of functional changes and a + security fix)) + - CVE-2012-3355 + + -- Scott Kitterman <sc...@kitterman.com> Fri, 27 Jul 2012 16:41:52 -0400 + rhythmbox (2.97-2) unstable; urgency=low [ Jon Dowland ] diff -Nru rhythmbox-2.97/debian/patches/CVE-2012-3355.patch rhythmbox-2.97/debian/patches/CVE-2012-3355.patch --- rhythmbox-2.97/debian/patches/CVE-2012-3355.patch 1969-12-31 19:00:00.000000000 -0500 +++ rhythmbox-2.97/debian/patches/CVE-2012-3355.patch 2012-07-27 16:40:00.000000000 -0400 @@ -0,0 +1,100 @@ +Origin: http://bugzilla-attachments.gnome.org/attachment.cgi?id=218103 +Author: Andreas Henriksson <andr...@fatal.se> +Description: use mkdtemp to securely create temp dir +Bug: https://bugzilla.gnome.org/process_bug.cgi +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=835076 + +Index: rhythmbox-2.96/plugins/context/AlbumTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/AlbumTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/AlbumTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -126,9 +126,9 @@ + self.path = rb.find_plugin_file (self.plugin, 'tmpl/album-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') + self.album_template = Template (filename = self.path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.loading_template = Template (filename = self.loading_path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def album_list_ready (self, ds): +Index: rhythmbox-2.96/plugins/context/ArtistTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/ArtistTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/ArtistTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -123,8 +123,8 @@ + def load_tmpl (self): + self.path = rb.find_plugin_file(self.plugin, 'tmpl/artist-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') +- self.template = Template (filename = self.path, module_directory = '/tmp/context/') +- self.loading_template = Template (filename = self.loading_path, module_directory = '/tmp/context') ++ self.template = Template (filename = self.path, module_directory = self.plugin.tempdir) ++ self.loading_template = Template (filename = self.loading_path, module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def connect_signals (self): +Index: rhythmbox-2.96/plugins/context/context.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/context.py 2012-02-12 00:13:11.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/context.py 2012-07-09 10:53:07.000000000 -0500 +@@ -26,6 +26,10 @@ + + # vim:shiftwidth=4:softtabstop=4:expandtab + ++from tempfile import mkdtemp ++from os.path import isdir ++from shutil import rmtree ++ + import ContextView as cv + + from gi.repository import GObject, Peas +@@ -34,13 +38,17 @@ + class ContextPlugin(GObject.Object, Peas.Activatable): + __gtype_name__ = 'ContextPlugin' + object = GObject.property(type=GObject.Object) ++ tempdir = None + + def __init__ (self): + GObject.Object.__init__ (self) + + def do_activate (self): ++ self.tempdir = mkdtemp(prefix = 'rb-context') + self.context_view = cv.ContextView (self.object, self) + + def do_deactivate(self): + self.context_view.deactivate(self.object) + del self.context_view ++ if (isdir(self.tempdir)): ++ rmtree(self.tempdir) +Index: rhythmbox-2.96/plugins/context/LinksTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/LinksTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/LinksTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -107,7 +107,7 @@ + self.images = self.basepath + '/img/links/' + self.styles = self.basepath + '/tmpl/main.css' + self.template = Template (filename = self.path, +- module_directory = '/tmp/context/') ++ module_directory = self.plugin.tempdir) + + self.file = self.template.render (error = ds.get_error (), + artist = ds.get_artist(), +Index: rhythmbox-2.96/plugins/context/LyricsTab.py +=================================================================== +--- rhythmbox-2.96.orig/plugins/context/LyricsTab.py 2012-03-10 04:22:26.000000000 -0600 ++++ rhythmbox-2.96/plugins/context/LyricsTab.py 2012-07-09 10:53:07.000000000 -0500 +@@ -111,9 +111,9 @@ + self.path = rb.find_plugin_file(self.plugin, 'tmpl/lyrics-tmpl.html') + self.loading_path = rb.find_plugin_file (self.plugin, 'tmpl/loading.html') + self.template = Template (filename = self.path, +- module_directory = '/tmp/context/') ++ module_directory = self.plugin.tempdir) + self.loading_template = Template (filename = self.loading_path, +- module_directory = '/tmp/context') ++ module_directory = self.plugin.tempdir) + self.styles = self.basepath + '/tmpl/main.css' + + def lyrics_ready (self, ds, entry, lyrics): diff -Nru rhythmbox-2.97/debian/patches/series rhythmbox-2.97/debian/patches/series --- rhythmbox-2.97/debian/patches/series 2012-06-19 17:21:03.000000000 -0400 +++ rhythmbox-2.97/debian/patches/series 2012-07-27 16:40:37.000000000 -0400 @@ -1 +1,2 @@ rb-mb5.patch +CVE-2012-3355.patch
signature.asc
Description: This is a digitally signed message part.
