[Secure-testing-team] mediamate proposed updates for etch and lenny

Jamin W. Collins jcollins at asgardsrealm.net
Mon Nov 3 17:24:57 UTC 2008


It was brought to my attention that the Snoopy library shipped in the 
Media Mate packages for etch and lenny has a potential security 
vulnerability[0]

CVE-2008-4796[1]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs.  NOTE: some of these details are
| obtained from third party information.

While the exploit appears to only pertain to HTTPS requests, which 
mediamate should not be using, it's better to be safe than sorry.  I've 
prepared an updated package for unstable that has already been uploaded 
to the repository.  I've also made an attempt to prepare updated 
packages for both etch and lenny.  These are the first such packages 
I've made, but I believe I've done so correctly.  The packages are the 
same as the versions currently in etch and lenny with the exception of 
the Snoopy update and changelog entry.  As my key has moved to emeritus 
status I've signed the packages and placed them on my personal website:

http://www.asgardsrealm.net/tmp/debs/mediamate/

Please let me know if there is anything else I should do, or if the 
packages need any further changes.

-- 
Jamin W. Collins

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504172
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
     http://security-tracker.debian.net/tracker/CVE-2008-4796



More information about the Secure-testing-team mailing list