Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1292409

Bug#1135779: beets: CVE-2026-42052

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Thanks.

I'm assuming, based on nothing but my own judgement, that users don't often
expose their beets library externally using this web UI. Even if they do, this
vulnerability is not very practical for attackers to exploit as they should
poison a library with malicious code in music metadata fields. Or something.

Therefore, I think this is a low risk vulnerability.

Upstream reports this is fixed in their commit
https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a

I will update the package to 2.10 in unstable with DD sponsorship from the
python team.

I will try to prepare stable updates for bullseye to trixie in branches in
salsa. I will try to backport this commit and provide a test confirming proper
escaping of field input.

I'm not a DD, so I do not have upload access. I propose I work on the above and
report on my progress here. I think I will need a couple of days, maybe until
the end of the weekend to propose fixes.

Please jump in if any of the above does not sound okay.

Thanks,

Pieter

Back to linux.debian.bugs.dist | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Bug#1135779: beets: CVE-2026-42052 Salvatore Bonaccorso <carnil@debian.org> - 2026-05-05 22:30 +0200
  Bug#1135779: beets: CVE-2026-42052 "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-06 07:10 +0200
    Bug#1135779: beets: CVE-2026-42052 Salvatore Bonaccorso <carnil@debian.org> - 2026-05-06 07:50 +0200
  Bug#1135779: tagging found in versions "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-06 10:30 +0200
    Bug#1135779: tagging found in versions "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-06 10:40 +0200

csiph-web