Bug 136704

Summary: VUL-0: potential vulnerability in ampache due to bug in PHP Snoopy module
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Peter Poeml <poeml>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Other   
Whiteboard: CVE-2005-3330: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: diff between Snoopy 1.2 and 1.2.1
patch for ampache-3.3.1.2

Description Peter Poeml 2005-12-02 16:16:15 UTC 
from the ampache changelog:

Changes: Alpha3 is being released ahead of schedule due to a
vulnerability in Snoopy that allows an authenticated user to remotely
execute code on the  server. This release also includes some minor bug
fixes with streaming, lock songs, downsampling, and the MPD controls.
The RAM playlist type has  been added, along with the Administrators'
ability to view their users' personal stats.


The exact problem is described here:
http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html

ampache uses Snoopy to retrieve album art from amazon.com. 
I'm not sure whether Snoopy might use trusted URLs under any
circumstances.

Since the fix is small and trivial, I suggest to fix the ampache
packages and release updates. No QA is required from my point of view.
What do you think about that?

I'll add the patch in a bit.
Comment 1 Peter Poeml 2005-12-02 16:19:51 UTC 
Created attachment 59711 [details]
diff between Snoopy 1.2 and 1.2.1
Comment 2 Peter Poeml 2005-12-02 16:23:47 UTC 
Created attachment 59712 [details]
patch for ampache-3.3.1.2
Comment 3 Marcus Meissner 2005-12-08 08:05:41 UTC 
CVE-2005-3330

"The _httpsrequest function in Snoopy 1.2, as used in products such as
(1) MagpieRSS, (2) WordPress, and (3) Ampache, allows remote attackers
to execute arbitrary commands via shell metacharacters in an HTTPS URL
to an SSL protected web page, which is not properly handled by the
fetch function."

I would say go ahead with fixing the package.
Comment 4 Peter Poeml 2005-12-09 14:48:53 UTC 
the bug affects only 10.0
Comment 5 Peter Poeml 2005-12-09 15:03:07 UTC 
fixed package submitted for 10.0
I'll fix STABLE now as well since it is a public bug.

Reassigning to you guys for further tracking.
Comment 6 Marcus Meissner 2005-12-13 10:30:37 UTC 
swampid: 3204
Comment 7 Marcus Meissner 2005-12-19 17:02:46 UTC 
update approved.
Comment 8 Thomas Biege 2009-10-13 20:41:48 UTC 
CVE-2005-3330: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)