[Bug 228138] New: CVE-2006-6979: amarok shell escaping issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228138
Summary: CVE-2006-6979: amarok shell escaping issue
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: amarok
AssignedTo: gauret(a)free.fr
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6979
"The ruby handlers in Amarok do not properly quote text in certain contexts,
probably including construction of an unzip command line, which allows attackers
to execute arbitrary commands via shell metacharacters."
Not clear to me which, if any, versions of amarok in FE or upstream are
affected. The referenced bugs.kde.org entry is open and there are no comments
at the moment.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
17 years, 1 month
firefox 1.5.0.10 update timeframe?
by Matthew Miller
As I'm sure everyone knows, the Red Hat Enterprise Linux errata for this is
already out, and marked as critical. No sign of a corresponding update for
any of the supported Fedora versions. Please let's not have this be another
one of those cases where Fedora's Firefox is vulnerable for weeks. It is,
frankly, embarrassing.
--
Matthew Miller mattdm(a)mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
17 years, 2 months