|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-43782: Cadence: Use of Fixed Temporary File Path in /tmp/.cadence-aloop-daemon.x | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Incidents | Assignee: | Simon Lees <simonf.lees> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | abergmann, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | [none] | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1213330 | ||
| Attachments: | fix for the issue | ||
|
Description
Matthias Gerstner
2023-08-04 12:09:29 UTC
Fixing this will quickly could be done via the XDG_RUNTIME_DIR approach. But let's wait what upstream says and does about it. Its certainly worth fixing, Cadence has typically only been used for doing pro level audio, generally to be useful it needs to have some sort of low latency audio interface connected. Generally these are single user systems so an actual exploit would probably require the local user to run a compromised script so its probably a low risk low impact situation (At worst you'd loose some audio recording). Given this has never been in SLE let me know when the embargo lifts and I can provide the fix for tumbleweed. The upstream author quickly replied and expressed that his project is
basically unmaintained and he doesn't intend to work anymore on it.
I will try to convince him to still address these two issues since they're
really gross on the hand and rather simple to fix on the other hand.
I Cadence is actually unmaintained upstream and replacement tools exist then
we should drop Cadence from openSUSE. The author said this about replacement
tools:
> Everything else that Cadence does is now better done elsewhere. We have Carla
> for the patchbay / connections stuff, NSM for the session management details,
> and other tools that replace the recorder, meters etc
>
> There is also "Studio Controls" from the UbuntuStudio team that does pretty
> much what Cadence was meant for, so I am not yet 100% certain that I need to
> even do a revision of a new Cadence-like tool.
(In reply to Matthias Gerstner from comment #4) > The upstream author quickly replied and expressed that his project is > basically unmaintained and he doesn't intend to work anymore on it. > > I will try to convince him to still address these two issues since they're > really gross on the hand and rather simple to fix on the other hand. > > I Cadence is actually unmaintained upstream and replacement tools exist then > we should drop Cadence from openSUSE. The author said this about replacement > tools: > > > Everything else that Cadence does is now better done elsewhere. We have Carla > > for the patchbay / connections stuff, NSM for the session management details, > > and other tools that replace the recorder, meters etc > > > > There is also "Studio Controls" from the UbuntuStudio team that does pretty > > much what Cadence was meant for, so I am not yet 100% certain that I need to > > even do a revision of a new Cadence-like tool. Currently Cadence is the only sensible way to configure jack on openSUSE as more people move towards pipewire where there are other better tools but the feedback I have so far is there are certain things people still prefer jack for certain use cases. I don't think i'd consider Cadence "Mission Critical" enough that it'd be worth dropping the package if the issue wasn't fixed. Although i'll probably draw the line of Cadence not going into ALP based products unless someone else wants to take it over Thanks for your judgement on this. I will try to get something released upstream, let's see if the upstream author complies. CRD: 2023-11-02 preliminary The upstream author is not replying any more to my inquiries. The basic plan I have now is that we fix the issue ourselves in our codestreams, provide public PRs to upstream as a sign of goodwill and also publish a detailed report about the security issue on oss-security. I will come up with suggested patches later this week. Created attachment 868940 [details]
fix for the issue
As stated already in bug 1213985 comment 5, there will be no disclosure process for this finding, since upstream refuses to continuing this project in any form. Please submit updates / maintenance updates for Tumbleweed, Leap 15.4 and Leap 15.5 containing the fix I provided in attachment 868940 [details]. Are there any news here? When will you be able to submit maintenance updates? This is an autogenerated message for OBS integration: This bug (1213983) was mentioned in https://build.opensuse.org/request/show/1109220 Backports:SLE-15-SP4 / Cadence This is an autogenerated message for OBS integration: This bug (1213983) was mentioned in https://build.opensuse.org/request/show/1109233 Backports:SLE-15-SP5 / Cadence Thanks for the updates! Publishing this bug as a reference; I will request a CVE from Mitre for this issue. openSUSE-RU-2023:0258-1: An update that has three recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1213330,1213983,1213985 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): Cadence-0.9.2-bp155.2.3.1 openSUSE-SU-2023:0270-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1213330,1213983,1213985 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): Cadence-0.9.1-bp154.2.3.1 All fixed and published. Closing bug report. |