Hans Spaans discovered that the Context plugin in Rhythmbox created a temporary directory in an insecure manner. A local attacker could exploit this to execute arbitrary code as the user invoking the program. Updated packages are available from security.ubuntu.com.
========================================================================== Ubuntu Security Notice USN-1503-1 July 11, 2012 rhythmbox vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 Summary: Rhythmbox could be made to run programs as your login when using the Context plugin. Software Description: - rhythmbox: music player and organizer for GNOME Details: Hans Spaans discovered that the Context plugin in Rhythmbox created a temporary directory in an insecure manner. A local attacker could exploit this to execute arbitrary code as the user invoking the program. The Context plugin is disabled by default in Ubuntu. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: rhythmbox-plugins 2.96-0ubuntu4.1 Ubuntu 11.10: rhythmbox-plugins 2.90.1~20110908-0ubuntu1.4 After a standard system update you need to restart Rhythmbox to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1503-1 CVE-2012-3355 Package Information: https://launchpad.net/ubuntu/+source/rhythmbox/2.96-0ubuntu4.1 https://launchpad.net/ubuntu/+source/rhythmbox/2.90.1~20110908-0ubuntu1.4