Bug 1217597 (CVE-2023-49343)

Summary: VUL-0: CVE-2023-49343: budgie-extras: budgie-dropby: use of fixed paths in /tmp/<user>_call_dropby and /tmp/<user>_dropby_icon_copy
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: matthias.gerstner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1216279    
Attachments: upstream patch
upstream patch

Description Matthias Gerstner 2023-11-28 15:07:25 UTC 
+++ This bug was initially created as a clone of Bug #1213341

Upstream informed us about this additional fixed /tmp path vulnerability in
the budgie-dropby component of budgie-extras. It is supposed to be fixed in
upstream release 1.7.1. I don't know of a publication date yet.

In `dropover` the following paths are used:

    /tmp/<user>_keepdropbywin
    
    This path seems only to be used for a regular file, so following symlinks
    would be a problem without symlink protection.

    /tmp/<user>_call_dropby

    This is used as a "trigger" file to cause the program to refresh
    information. So anybody in the system could trigger this.

    The file is normally created from `budgie_dropby.py` which would follow
    symlinks here without symlink protection.

In `copy_flash` the path "/tmp/<user>_dropby_icon_copy" is used as a trigger
file. It is only created here. Would follow symlinks without symlink
protection. It is monitored in `budgie_dropby.py` and upon its creation a
refresh is performed and possibly the GUI interface is popped up.
Comment 2 Matthias Gerstner 2023-12-04 11:57:57 UTC 
Created attachment 871135 [details]
upstream patch
Comment 3 Matthias Gerstner 2023-12-04 11:58:01 UTC 
Created attachment 871136 [details]
upstream patch
Comment 4 Matthias Gerstner 2023-12-04 12:04:32 UTC 
Upstream plans to publish the release 1.7.1 on the date mentioned in comment
1. Their suggested patch are found in comments 2 and 3.

Please *don't* publish anything in the build service before we give green
light. You can privately prepare an update using the given patch but it will
likely be simpler to simply use the upstream release once it is public.
Comment 5 Matthias Gerstner 2023-12-14 09:36:49 UTC 
This is now public via the 1.7.1 upstream release: https://github.com/UbuntuBudgie/budgie-extras/releases/tag/v1.7.1. Please package the new version and submit to all maintained OBS codestreams.
Comment 6 OBSbugzilla Bot 2023-12-14 15:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1217597) was mentioned in
https://build.opensuse.org/request/show/1133097 Factory / budgie-extras
Comment 7 Callum Farmer 2024-03-08 13:32:40 UTC 
complete