-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#15 - ------------------------------------------------------------
Name: amarok-base Date: 2007-03-14 Severity: Low Warning #: 2007-#15 - ------------------------------------------------------------ Product Background =================== Amarok is an advanced music player. Problem Background =================== The Magnatune component shipped with Amarok is vulnerable to the injection of arbitrary shell code from a malicious Magnatune server. Impact ========== A compromised or malicious Magnatune server can remotely execute arbitrary shell code with the rights of the user running Amarok on a client that have previously registered for buying music. Workaround ========== Do not use the Magnatune component of Amarok. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ amarok-base extra multimedia <= 1.4.5-2 Only patched Package Fix =================== Patch amarok with this patch ( from SVN repo, formatted by our gentoo cousin :P ): http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/amarok/files/amarok-1.4.5-magnatune.patch ==================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html Reference(s) =================== http://secunia.com/advisories/24159 CVE-2006-6979 Contact ================== JJDaNiMoTh < jjdanimoth AT gmail DOT com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF98oycJj0HNhER0MRAgPJAJ4oCcO6cMfY1qBZtRPXL/vU6DsLLQCfc10d rgQOuYaPxr9g/dlJxilaKIw= =uLbz -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
