Hello community,

here is the log from the commit of package rhythmbox for openSUSE:12.2 checked 
in at 2012-07-24 16:11:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2/rhythmbox (Old)
 and      /work/SRC/openSUSE:12.2/.rhythmbox.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rhythmbox", Maintainer is "gnome-maintain...@suse.de"

Changes:
--------
--- /work/SRC/openSUSE:12.2/rhythmbox/rhythmbox.changes 2012-06-26 
17:29:22.000000000 +0200
+++ /work/SRC/openSUSE:12.2/.rhythmbox.new/rhythmbox.changes    2012-07-24 
17:22:38.000000000 +0200
@@ -1,0 +2,6 @@
+Tue Jul 24 11:15:36 UTC 2012 - vu...@opensuse.org
+
+- Add rhythmbox-CVE-2012-3355.patch: fix insecure temporary
+  directory use in context plugin. Fix bnc#768681, CVE-2012-3355.
+
+-------------------------------------------------------------------

New:
----
  rhythmbox-CVE-2012-3355.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rhythmbox.spec ++++++
--- /var/tmp/diff_new_pack.9vOcdj/_old  2012-07-24 17:22:38.000000000 +0200
+++ /var/tmp/diff_new_pack.9vOcdj/_new  2012-07-24 17:22:38.000000000 +0200
@@ -24,6 +24,8 @@
 Group:          Productivity/Multimedia/Sound/Players
 Url:            http://www.gnome.org/projects/rhythmbox/
 Source:         
http://download.gnome.org/sources/rhythmbox/2.97/%{name}-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM rhythmbox-CVE-2012-3355.patch CVE-2012-3355 bnc#768681 
vu...@opensuse.org -- Fix insecure temporary directory use in context plugin
+Patch0:         rhythmbox-CVE-2012-3355.patch
 BuildRequires:  gnome-doc-utils-devel
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  intltool
@@ -97,6 +99,7 @@
 %prep
 %setup -q
 translation-update-upstream
+%patch0 -p1
 
 %build
 export MOZILLA_PLUGINDIR=%{_libdir}/browser-plugins


++++++ rhythmbox-CVE-2012-3355.patch ++++++
>From 01a829f549a0fd90ad8c8befd0793fa5f133f8f8 Mon Sep 17 00:00:00 2001
From: Jonathan Matthew <jonat...@d14n.org>
Date: Tue, 24 Jul 2012 10:43:36 +0000
Subject: context: remove the module_context parameter (bug #678661)

Caching the template modules doesn't really buy us anything, and
there is the possibility that it could be used to load hostile code
into another user's process (since the module directory was under /tmp).
If it turns out we need the cache, we should put it somewhere
under the XDG cache dir.
---
diff --git a/plugins/context/AlbumTab.py b/plugins/context/AlbumTab.py
index 5d32171..61b3a1a 100644
--- a/plugins/context/AlbumTab.py
+++ b/plugins/context/AlbumTab.py
@@ -125,10 +125,8 @@ class AlbumView (GObject.GObject):
     def load_tmpl (self):
         self.path = rb.find_plugin_file (self.plugin, 'tmpl/album-tmpl.html')
         self.loading_path = rb.find_plugin_file (self.plugin, 
'tmpl/loading.html')
-        self.album_template = Template (filename = self.path,
-                                        module_directory = '/tmp/context')
-        self.loading_template = Template (filename = self.loading_path, 
-                                          module_directory = '/tmp/context')
+        self.album_template = Template (filename = self.path)
+        self.loading_template = Template (filename = self.loading_path)
         self.styles = self.basepath + '/tmpl/main.css'
 
     def album_list_ready (self, ds):
diff --git a/plugins/context/ArtistTab.py b/plugins/context/ArtistTab.py
index daa6027..4859991 100644
--- a/plugins/context/ArtistTab.py
+++ b/plugins/context/ArtistTab.py
@@ -123,8 +123,8 @@ class ArtistView (GObject.GObject):
     def load_tmpl (self):
         self.path = rb.find_plugin_file(self.plugin, 'tmpl/artist-tmpl.html')
         self.loading_path = rb.find_plugin_file (self.plugin, 
'tmpl/loading.html')
-        self.template = Template (filename = self.path, module_directory = 
'/tmp/context/')
-        self.loading_template = Template (filename = self.loading_path, 
module_directory = '/tmp/context')
+        self.template = Template (filename = self.path)
+        self.loading_template = Template (filename = self.loading_path)
         self.styles = self.basepath + '/tmpl/main.css'
 
     def connect_signals (self):
diff --git a/plugins/context/LinksTab.py b/plugins/context/LinksTab.py
index 326024a..519e46c 100644
--- a/plugins/context/LinksTab.py
+++ b/plugins/context/LinksTab.py
@@ -106,8 +106,7 @@ class LinksView (GObject.GObject):
         self.path = rb.find_plugin_file(self.plugin, 'tmpl/links-tmpl.html')
         self.images = self.basepath + '/img/links/'
         self.styles = self.basepath + '/tmpl/main.css'
-        self.template = Template (filename = self.path, 
-                                  module_directory = '/tmp/context/')
+        self.template = Template (filename = self.path)
 
         self.file = self.template.render (error      = ds.get_error (),
                                           artist     = ds.get_artist(),
diff --git a/plugins/context/LyricsTab.py b/plugins/context/LyricsTab.py
index 96b44c4..c8b1fed 100644
--- a/plugins/context/LyricsTab.py
+++ b/plugins/context/LyricsTab.py
@@ -110,10 +110,8 @@ class LyricsView (GObject.GObject):
     def load_tmpl (self):
         self.path = rb.find_plugin_file(self.plugin, 'tmpl/lyrics-tmpl.html')
         self.loading_path = rb.find_plugin_file (self.plugin, 
'tmpl/loading.html')
-        self.template = Template (filename = self.path, 
-                                  module_directory = '/tmp/context/')
-        self.loading_template = Template (filename = self.loading_path, 
-                                          module_directory = '/tmp/context')
+        self.template = Template (filename = self.path)
+        self.loading_template = Template (filename = self.loading_path)
         self.styles = self.basepath + '/tmpl/main.css'
 
     def lyrics_ready (self, ds, entry, lyrics):
--
cgit v0.9.0.2
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to