Comment 13 for bug 663925

Artur helped me on -motu, and pointed some more issues on the patches. I am uploading new versions for both Lucid and Maverick.

For the record, and as a consolidation of the data on this bug:

This bug has never been reported to Mitre; as such, there is no CVE associated with it. The security exposure here is arbitrary data loss, caused by mishandling a directory removal. This was announced on the developer's site, with the text:

"ATTENTION: Feature, that allows you to physically remove directories from your disk while being in browser is BROKEN IN ALL VERSIONS < 0.5.4 and may, under some random circumstances, cause UNWANTED DELETION OF OTHER FILES. It needs to be manually enabled in configuration file though, so if you don't use it, you're fine. Otherwise you should upgrade to 0.5.4 or higher version immediately.".

A quick look on the upstream GIT (http://repo.or.cz/w/ncmpcpp.git) does not clearly show a patch for this issue.

I am uploading two debdiff's:

Lucid-security: ncmpcpp_0.4.1-1ubuntu0.1.debdiff
Maverick-security: ncmpcpp_0.5.2-1ubuntu0.1.debdiff

The patch itself is minimally intrusive, and just disables the option after startup (and after the configuration file -- if any -- has been read and processed. This is the single point where the configuration file is read and acted on; after that, we print an error message to error.log (stderr redirected), and proceed as usual.

I have tested the patches.