Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2008-3699

Publication date 14 August 2008

Last updated 24 July 2024


Ubuntu priority

The MagnatuneBrowser::listDownloadComplete function in magnatunebrowser/magnatunebrowser.cpp in Amarok before 1.4.10 allows local users to overwrite arbitrary files via a symlink attack on the album_info.xml temporary file.

Read the notes from the security team

Status

Package Ubuntu Release Status
amarok 8.04 LTS hardy
Fixed 2:1.4.9.1-0ubuntu3.1
7.10 gutsy
Fixed 2:1.4.7-0ubuntu3.1
7.04 feisty Ignored end of life, was needed
6.06 LTS dapper
Not affected

Notes


jdstrand

Ubuntu 6.06 LTS (Dapper) does not contain the vulnerable code amarok tries to remove the file before opening it, so there is a TOCTOU vulnerability and a symlink could be inserted before open. This makes the attack much harder, but still possible.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
amarok

References

Related Ubuntu Security Notices (USN)

    • USN-657-1
    • Amarok vulnerability
    • 21 October 2008

Other references