Your message dated Tue, 19 Jun 2018 02:33:55 +0000
with message-id <e1fv6sx-0007cr...@fasolo.debian.org>
and subject line Bug#901798: fixed in cantata 2.3.0.ds1-2
has caused the Debian Bug report #901798,
regarding cantata: source contains insecure mount.cifs wrapper, cantata-mounter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
901798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cantata
Version: 2.3.0.ds1-1
Severity: important
Tags: security
cantata contains a helper program cantata-mounter
which runs as root (via D-Bus activation) and allows
unprivileged users to do privileged mount operations via D-Bus
IPC. This turns out to have several security vulnerabilities
(<http://www.openwall.com/lists/oss-security/2018/06/18/1>) with the
worst-case impact being local root privilege escalation.
Mitigation: the Debian packaging doesn't seem to build cantata-mounter
(or at least https://packages.debian.org/unstable/cantata says it isn't
in the binary package for the architectures I tried). However, d/rules
doesn't *explicitly* disable it, so I think there's a risk that it might
become enabled by mistake in a future upload.
Please close this bug when either cantata-mounter is specifically
disabled, or the upstream source has been upgraded to a version that no
longer includes cantata-mounter.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: cantata
Source-Version: 2.3.0.ds1-2
We believe that the bug you reported is fixed in the latest version of
cantata, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stuart Prescott <stu...@debian.org> (supplier of updated cantata package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Jun 2018 11:38:16 +1000
Source: cantata
Binary: cantata
Architecture: source
Version: 2.3.0.ds1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org>
Changed-By: Stuart Prescott <stu...@debian.org>
Description:
cantata - Qt client for the music player daemon (MPD)
Closes: 901798
Changes:
cantata (2.3.0.ds1-2) unstable; urgency=high
.
* Disable cantata-mounter (Closes: #901798).
Checksums-Sha1:
a768e9def5ab5de22ad70867f36b2376978219da 2357 cantata_2.3.0.ds1-2.dsc
bbb1a90a2c79f3a5ec5291638eb4a14dd26eac02 14252
cantata_2.3.0.ds1-2.debian.tar.xz
7a3b1b15dded245b5d3f46c85d92d5de092641b1 16517
cantata_2.3.0.ds1-2_amd64.buildinfo
Checksums-Sha256:
b52800c2759debbb31068ba9f8222479344c1e8ee8efe6b982c0e09b85d006f2 2357
cantata_2.3.0.ds1-2.dsc
0a3190c8189ec062af287a37e2da3b894ae7c234b967aa5cad26140171cb3124 14252
cantata_2.3.0.ds1-2.debian.tar.xz
579cd77b6340972b9f171ab02413cc189c515f6b0b71eade64fdfc0408102800 16517
cantata_2.3.0.ds1-2_amd64.buildinfo
Files:
7666e4fc81b26fb22fc17aaa3a2ce835 2357 sound optional cantata_2.3.0.ds1-2.dsc
173feb0fee9291c0c1d9bf5eba72fad5 14252 sound optional
cantata_2.3.0.ds1-2.debian.tar.xz
35f58005e54c6ee19cd2917b7dbde669 16517 sound optional
cantata_2.3.0.ds1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkOLSwa0Uaht+u4kdu8F+uxOW8vcFAlsoZHwACgkQu8F+uxOW
8vdgoxAAlA14fJ8aX+9d1BCD/zWpqLW61p/63jzh5mvkihOJ51r7/zVNbO/YTXX1
vi22WMPKMQb34RNiOLmJL9STvAQtPEoiYQovklE+FIUWPUT8Fnjl+Jvh63lGwxB6
76g7qQ6ILcAWvPCslGkED0gC2+q0oLRbU+okjFZWMsfCaHI4V9z+6o7JOkH8zdNr
IqGu++6iJP+pYTpqqGCr4oNHixPNyjfk37D2JevqG9qWGUtWRTSr7OkbkXRij6L3
BYcmCppyM9GT5WEuroxKKxcJk8ENQXSSXdN0YPCironmmnAOPj6AEHaWf4h8z++f
NiPFXLgwOkbNEW7EYiI2xo5vfTRDexPIVDgvWv1kgcitnwffJve9Iw2dPah27OIK
rxAYrZ7q+J7AW2uXgVp5QolHKvQQqMC3K/y5RnwoC2fMN8BzaVPuvHKh8m783NSy
yCKN13q0HRAfHd3QC7GX8lqgNM31QpiG68zneVqdGjEqHbQKp/d0J8+YAkJGaBkx
pLu9UpB4VHkpJiJtBB2BrUDckJCtEwbDcOZJgZWLD4A6kmjvB/IK+0D8hkLcdKWa
EvzRGiDufe1KvGJH0hrzqLwBHPLBvnqebH3BRBNPyfJwc3nbJ6NFRDSiNCe+J2lq
MraPqJPEXb+Ec2FaEojWe9I/Ohl5cqU7JUojXx6FyE3IrCODwCk=
=9ovG
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
