Code Injection in Rhythmbox - CVE-2012-3355
Published: July 18, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43849
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-3355
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
Rhythmbox
Rhythmbox
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
(1) AlbumTab.py, (2) ArtistTab.py, (3) LinksTab.py, and (4) LyricsTab.py in the Context module in GNOME Rhythmbox 0.13.3 and earlier allows local users to execute arbitrary code via a symlink attack on a temporary HTML template file in the /tmp/context directory.
How to mitigate CVE-2012-3355
Install update from vendor's website.
Sources
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616673
- http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3355.html
- http://www.openwall.com/lists/oss-security/2012/06/25/5
- http://www.openwall.com/lists/oss-security/2012/06/25/7
- http://www.securityfocus.com/bid/54186
- http://www.ubuntu.com/usn/USN-1503-1
- https://bugzilla.gnome.org/show_bug.cgi?id=678661
- https://bugzilla.redhat.com/show_bug.cgi?id=835076
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76538
- https://hermes.opensuse.org/messages/15351848