File rhythmbox-CVE-2012-3355.patch of Package rhythmbox.openSUSE_11.4_Update
From 01a829f549a0fd90ad8c8befd0793fa5f133f8f8 Mon Sep 17 00:00:00 2001
From: Jonathan Matthew <jonathan@d14n.org>
Date: Tue, 24 Jul 2012 10:43:36 +0000
Subject: context: remove the module_context parameter (bug #678661)
Caching the template modules doesn't really buy us anything, and
there is the possibility that it could be used to load hostile code
into another user's process (since the module directory was under /tmp).
If it turns out we need the cache, we should put it somewhere
under the XDG cache dir.
---
Index: rhythmbox-0.13.3/plugins/context/context/AlbumTab.py
===================================================================
--- rhythmbox-0.13.3.orig/plugins/context/context/AlbumTab.py
+++ rhythmbox-0.13.3/plugins/context/context/AlbumTab.py
@@ -119,10 +119,8 @@ class AlbumView (gobject.GObject):
def load_tmpl (self):
self.path = self.plugin.find_file ('tmpl/album-tmpl.html')
self.loading_path = self.plugin.find_file ('tmpl/loading.html')
- self.album_template = Template (filename = self.path,
- module_directory = '/tmp/context')
- self.loading_template = Template (filename = self.loading_path,
- module_directory = '/tmp/context')
+ self.album_template = Template (filename = self.path)
+ self.loading_template = Template (filename = self.loading_path)
self.styles = self.basepath + '/tmpl/main.css'
def album_list_ready (self, ds):
Index: rhythmbox-0.13.3/plugins/context/context/ArtistTab.py
===================================================================
--- rhythmbox-0.13.3.orig/plugins/context/context/ArtistTab.py
+++ rhythmbox-0.13.3/plugins/context/context/ArtistTab.py
@@ -116,8 +116,8 @@ class ArtistView (gobject.GObject):
def load_tmpl (self):
self.path = self.plugin.find_file('tmpl/artist-tmpl.html')
self.loading_path = self.plugin.find_file ('tmpl/loading.html')
- self.template = Template (filename = self.path, module_directory = '/tmp/context/')
- self.loading_template = Template (filename = self.loading_path, module_directory = '/tmp/context')
+ self.template = Template (filename = self.path)
+ self.loading_template = Template (filename = self.loading_path)
self.styles = self.basepath + '/tmpl/main.css'
def connect_signals (self):
Index: rhythmbox-0.13.3/plugins/context/context/LinksTab.py
===================================================================
--- rhythmbox-0.13.3.orig/plugins/context/context/LinksTab.py
+++ rhythmbox-0.13.3/plugins/context/context/LinksTab.py
@@ -104,8 +104,7 @@ class LinksView (gobject.GObject):
self.path = self.plugin.find_file('tmpl/links-tmpl.html')
self.images = self.basepath + '/img/links/'
self.styles = self.basepath + '/tmpl/main.css'
- self.template = Template (filename = self.path,
- module_directory = '/tmp/context/')
+ self.template = Template (filename = self.path)
self.file = self.template.render (error = ds.get_error (),
artist = ds.get_artist(),
Index: rhythmbox-0.13.3/plugins/context/context/LyricsTab.py
===================================================================
--- rhythmbox-0.13.3.orig/plugins/context/context/LyricsTab.py
+++ rhythmbox-0.13.3/plugins/context/context/LyricsTab.py
@@ -105,10 +105,8 @@ class LyricsView (gobject.GObject):
def load_tmpl (self):
self.path = self.plugin.find_file('tmpl/lyrics-tmpl.html')
self.loading_path = self.plugin.find_file ('tmpl/loading.html')
- self.template = Template (filename = self.path,
- module_directory = '/tmp/context/')
- self.loading_template = Template (filename = self.loading_path,
- module_directory = '/tmp/context')
+ self.template = Template (filename = self.path)
+ self.loading_template = Template (filename = self.loading_path)
self.styles = self.basepath + '/tmpl/main.css'
def lyrics_ready (self, ds, entry, lyrics):
