Bug#931021: musescore: phones home, including to Google Analytics, on first start

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#931021: musescore: phones home, including to Google Analytics, on first start

Thorsten Glaser
Package: musescore
Version: 2.3.2+dfsg2-6
Severity: serious
Tags: security
Justification: phones home

Bugreport for myself and for release tracking.

Dear release team, please indicate whether this is buster release-critical,
I will try to fix it later tonight.


On first startup, MuseScore connects to:

connect2.musescore.com  CNAME   cds.z5r7u8v4.hwcdn.net
cds.z5r7u8v4.hwcdn.net  A       205.185.216.10
cds.z5r7u8v4.hwcdn.net  A       205.185.216.42

(Highwinds Network Operations Center)


The currently shipped HTML content makes it also connect to:

www.google-analytics.com        CNAME   www-google-analytics.l.google.com
www-google-analytics.l.google.com       A       172.217.16.174
www-google-analytics.l.google.com       AAAA    2A00:1450:4001:81B:0:0:0:200E

Also:

mc.yandex.ru            A       93.158.134.119
mc.yandex.ru            A       77.88.21.119
mc.yandex.ru            A       87.250.250.119
mc.yandex.ru            A       87.250.251.119
mc.yandex.ru            AAAA    2A02:6B8:0:0:0:0:1:119

And:

stats.g.doubleclick.net CNAME   stats.l.doubleclick.net
stats.l.doubleclick.net A       74.125.133.155
stats.l.doubleclick.net A       74.125.133.156
stats.l.doubleclick.net A       74.125.133.157
stats.l.doubleclick.net A       74.125.133.154
stats.l.doubleclick.net AAAA    2A00:1450:400C:C0B:0:0:0:9D


I’ll simply remove the offending “web start centre” functionality,
given that MuseScore 3.x will not ship it either anyway (for tech
reasons).


-- System Information:
Debian Release: 10.0
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages musescore depends on:
ii  desktop-file-utils           0.23-4
ii  libasound2                   1.1.8-1+x32.1
ii  libc6                        2.28-10
ii  libfreetype6                 2.9.1-3
ii  libgcc1                      1:8.3.0-7
ii  libportaudio2                19.6.0-1
ii  libportmidi0                 1:217-6
ii  libpulse0                    12.2-4
ii  libqt5core5a                 5.11.3+dfsg1-2
ii  libqt5gui5                   5.11.3+dfsg1-2
ii  libqt5help5                  5.11.3-4
ii  libqt5network5               5.11.3+dfsg1-2
ii  libqt5printsupport5          5.11.3+dfsg1-2
ii  libqt5qml5                   5.11.3-4
ii  libqt5quick5                 5.11.3-4
ii  libqt5sql5-sqlite            5.11.3+dfsg1-2
ii  libqt5svg5                   5.11.3-2
ii  libqt5webkit5                5.212.0~alpha2-21
ii  libqt5widgets5               5.11.3+dfsg1-2
ii  libqt5xml5                   5.11.3+dfsg1-2
ii  libqt5xmlpatterns5           5.11.3-2
ii  libsndfile1                  1.0.28-6
ii  libstdc++6                   8.3.0-7
ii  libvorbisfile3               1.3.6-2
ii  musescore-common             2.3.2+dfsg3-2
ii  qml-module-qtquick-controls  5.11.3-2
ii  qml-module-qtquick-dialogs   5.11.3-2
ii  qml-module-qtquick-layouts   5.11.3-4
ii  qml-module-qtquick2          5.11.3-4
ii  shared-mime-info             1.10-1
ii  xdg-utils                    1.1.3-1
ii  zlib1g                       1:1.2.11.dfsg-1

Versions of packages musescore recommends:
ii  libmp3lame0       3.100-2+b1
pn  pulseaudio-utils  <none>

musescore suggests no packages.

-- no debconf information
Reply | Threaded
Open this post in threaded view
|

Bug#931021: musescore: phones home, including to Google Analytics, on first start

Thorsten Glaser-6
notfound 931021 musescore-snapshot/3.1+dfsg1-1
thanks

> Bugreport for myself and for release tracking.

MuseScore 3, which is currently sitting in experimental, intending to
hit sid after the release, is NOT affected; disabling the web centre
thingy seems to suffice.

bye,
//mirabilos
--
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database” ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die!