+++ This bug was initially created as a clone of Bug #1213340

The opensuse-welcome dialog is a small Qt program containing not even 500
lines of code. It uses some advanced Qt features like QML scripts, though,
which help in setting up the dialog's features.

One peculiarity is that only in an XFCE environment (`$XDG_CURRENT_DESKTOP`
set to xfce), a "customise" button is shown which allows to select between
different XFCE desktop layout presets.

Understanding the setup of this XFCE specific customise button is not all that
simple. There are QML tag attributes "data-de" which relate to specific
desktop environments. There is a XfceLayouter registered in QML and in
src/main.cpp.

In any case the C++ class found in panellayouter.h and panellayouter.cpp is
dealing with the actual logic that is executed once the user clicks on any of
the XFCE desktop layout presets, to configure it.

In `PanelLayouter::applyLayout()` the fixed path /tmp/layout is used to store
a complex configuration file which is fed to the XFCE via D-Bus. To complicate
things further, a Python script embedded into panellayouter.cpp is used to
take advantage of the XFCE4 Python module found in
/usr/share/xfce4-panel-profiles/xfce4-panel-profiles/panelconfig.py. This
module offers facilities to feed a desktop layout configuration tarball to
XFCE via D-Bus.

The use of the fixed path in /tmp/layout is problematic security wise in
multiple ways. The following code is used in `PanelLayouter::applyLayout()`:

```
    if (QFile::exists("/tmp/layout"))
        QFile::remove("/tmp/layout");

    QFile layout(path);
    layout.copy("/tmp/layout");

    QProcess::startDetached("/usr/bin/python3", {"-c", m_script});
```

This results in the following system call sequence, provided /tmp/layout does
not yet exist:

```
access("/tmp/layout", F_OK)             = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp", O_RDWR|O_CLOEXEC|O_TMPFILE, 0600) = 55
linkat(AT_FDCWD, "/proc/self/fd/55", AT_FDCWD, "/tmp/layout", AT_SYMLINK_FOLLOW)
= 0
chmod("/tmp/layout", 0444)              = 0
```

This of course poses various attack vectors involving symlink attacks. If the
Linux kernel's symlink protection is off, other users can place symlinks here
to confuse the existence check or to overwrite arbitrary locations (the
`linkat()` call explicitly specifies `AT_SYMLINK_FOLLOW`). By default on
openSUSE we do have symlink protection, luckily.

What happens if /tmp/layout already exists as a regular file, though? The code
above does not perform any error checks and C++ exceptions are not used
either. This means a failing `Qfile::remove()` or a failing `QFile.copy()` are
not noticed and are not terminating the program logic. The result of this will
be, if /tmp/layout is already existing and readable, that attacker controlled
data is used in the embedded Python script.

When looking at the logic found in /usr/share/xfce4-panel-profiles/xfce4-panel-profiles/panelconfig.py
we can see that a tarball is expected as input containing complex
configuration files. Among other the script copies any `*.rc` files found in
the tarball into the user's home directory. The script does have quite some
evaluation logic, but it is sloppy enough to allow to construct a crafted
tarball that causes an arbitrary file in the user's home directory to be
overwritten by attacker controlled data.

The attached `hack_welcome.py` script is a PoC I wrote that demonstrates this.
The impact is arbitrary code execution in the context of the victim user that
runs XFCE and clicks customize in opensuse-welcome and chooses one of the
layouts. Currently the only limitation is that the name of the victim's user
account needs to be known. I suspect there are further attack vectors to make
this even simpler. Refer to the PoC inline documentation for more.