| Summary: | [Update Request] audacity (CVE-2020-11867) | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Zombie Ryushu <zombie.ryushu> |
| Component: | Packages from Main | Assignee: | ROSA Linux Bugs <bugs> |
| Status: | RESOLVED FIXED | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | normal | ||
| Priority: | Normal | CC: | alzim, andrey.bondrov, denis.silakov, mc2374 |
| Version: | KDE4 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://repology.org/project/audacity/cves?version=2.3.1 | ||
| Whiteboard: | |||
| Platform: | 2016.1 | ROSA Vulnerability identifier: | CVE-2020-11867 |
| RPM Package: | audacity-2.3.3-2.src.rpm | ISO-related: | |
| Bad POT generating: | Upstream: | ||
|
Description
Zombie Ryushu
2020-12-04 03:05:41 MSK
Current Release is 2.4.2 (In reply to Zombie Ryushu from comment #0) > CVE-2017-1000010 2017-07-17T13:18Z 2020-08-03T18:43Z > audacityteam > audacity > [2.1.2, 2.3.2] We have 2.3.3, so this don't apply. Instead we are affected by CVE-2020-11867... (In reply to Zombie Ryushu from comment #1) > Current Release is 2.4.2 I know it... But we cannot update to 2.4.x, because it needs cmake >= 3.15, while we have only 3.7.2 and downgrading the requirement won't work. 2016.1 is becoming quickly unmaintainable. :-( Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there (CVE-2020-11867). This was fixed in new release ages ago... |