USN-1503-1: Rhythmbox vulnerability

11 July 2012

rhythmbox vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
  • Ubuntu 11.10

Summary

Rhythmbox could be made to run programs as your login when using the Context plugin.

Software Description

  • rhythmbox - music player and organizer for GNOME

Details

Hans Spaans discovered that the Context plugin in Rhythmbox created a temporary directory in an insecure manner. A local attacker could exploit this to execute arbitrary code as the user invoking the program. The Context plugin is disabled by default in Ubuntu.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 LTS
rhythmbox-plugins - 2.96-0ubuntu4.1
Ubuntu 11.10
rhythmbox-plugins - 2.90.1~20110908-0ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Rhythmbox to make all the necessary changes.

References