Bugzilla – Bug 1213983
VUL-0: CVE-2023-43782: Cadence: Use of Fixed Temporary File Path in /tmp/.cadence-aloop-daemon.x
Last modified: 2023-10-04 08:03:10 UTC
+++ This bug was initially created as a clone of Bug #1213330 I just reported this to upstream via email: This temporary file is used in `cadence.py` and `cadence_aloop_daemon.py`. It is used to control the starting and stopping of the aloop daemon. - in cadence.py only the `stat()` and `unlink()` system calls are used on this path. Special symlink attacks should not be possible. - in `cadence_aloop_daemon.py` `mknod()` is used to create this file. This system call is pretty safe against following symlinks as well. - the content of the file is not evaluated by any of the scripts. In `cadence_aloop_daemon.py` the use of the file is as follows: ``` checkFile = "/tmp/.cadence-aloop-daemon.x" [...] # Create check file if not os.path.exists(checkFile): os.mknod(checkFile) [...] while doLoop and os.path.exists(checkFile): [...] sleep(1) [...] if os.path.exists(checkFile): os.remove(checkFile) ``` The problems in the fixed /tmp path usage are as follows: - if the file already exists (created by another user in the system) then the file is used as is. This allows other users in the system to DoS the aloop daemon, by pre-creating this file and removing it at an arbitrary time again, to make the daemon stop. This can even be achieved by the `nobody` user, if compromised. - (non-security) the `sleep(1)` in the main loop is inefficient (shutdown can take up to a second without the daemon reacting). - (non-security) the fixed tmp file path makes it impossible to properly run two instances of aloop daemon in parallel. To control the lifetime of a process like this either a systemd user session service should be used, or if done on foot, maybe a FIFO that is select()'ed on for reading with a timeout of one second would be a better solution. To fix the security aspect of this the file (or FIFO) should be placed in a directory that is accessible to the invoking user only like e.g. in the directory found in the `$XDG_RUNTIME_DIR` environment variable.
Fixing this will quickly could be done via the XDG_RUNTIME_DIR approach. But let's wait what upstream says and does about it.
Its certainly worth fixing, Cadence has typically only been used for doing pro level audio, generally to be useful it needs to have some sort of low latency audio interface connected. Generally these are single user systems so an actual exploit would probably require the local user to run a compromised script so its probably a low risk low impact situation (At worst you'd loose some audio recording). Given this has never been in SLE let me know when the embargo lifts and I can provide the fix for tumbleweed.
The upstream author quickly replied and expressed that his project is basically unmaintained and he doesn't intend to work anymore on it. I will try to convince him to still address these two issues since they're really gross on the hand and rather simple to fix on the other hand. I Cadence is actually unmaintained upstream and replacement tools exist then we should drop Cadence from openSUSE. The author said this about replacement tools: > Everything else that Cadence does is now better done elsewhere. We have Carla > for the patchbay / connections stuff, NSM for the session management details, > and other tools that replace the recorder, meters etc > > There is also "Studio Controls" from the UbuntuStudio team that does pretty > much what Cadence was meant for, so I am not yet 100% certain that I need to > even do a revision of a new Cadence-like tool.
(In reply to Matthias Gerstner from comment #4) > The upstream author quickly replied and expressed that his project is > basically unmaintained and he doesn't intend to work anymore on it. > > I will try to convince him to still address these two issues since they're > really gross on the hand and rather simple to fix on the other hand. > > I Cadence is actually unmaintained upstream and replacement tools exist then > we should drop Cadence from openSUSE. The author said this about replacement > tools: > > > Everything else that Cadence does is now better done elsewhere. We have Carla > > for the patchbay / connections stuff, NSM for the session management details, > > and other tools that replace the recorder, meters etc > > > > There is also "Studio Controls" from the UbuntuStudio team that does pretty > > much what Cadence was meant for, so I am not yet 100% certain that I need to > > even do a revision of a new Cadence-like tool. Currently Cadence is the only sensible way to configure jack on openSUSE as more people move towards pipewire where there are other better tools but the feedback I have so far is there are certain things people still prefer jack for certain use cases. I don't think i'd consider Cadence "Mission Critical" enough that it'd be worth dropping the package if the issue wasn't fixed. Although i'll probably draw the line of Cadence not going into ALP based products unless someone else wants to take it over
Thanks for your judgement on this. I will try to get something released upstream, let's see if the upstream author complies.
CRD: 2023-11-02 preliminary
The upstream author is not replying any more to my inquiries. The basic plan I have now is that we fix the issue ourselves in our codestreams, provide public PRs to upstream as a sign of goodwill and also publish a detailed report about the security issue on oss-security. I will come up with suggested patches later this week.
Created attachment 868940 [details] fix for the issue
As stated already in bug 1213985 comment 5, there will be no disclosure process for this finding, since upstream refuses to continuing this project in any form. Please submit updates / maintenance updates for Tumbleweed, Leap 15.4 and Leap 15.5 containing the fix I provided in attachment 868940 [details].
Are there any news here? When will you be able to submit maintenance updates?
This is an autogenerated message for OBS integration: This bug (1213983) was mentioned in https://build.opensuse.org/request/show/1109220 Backports:SLE-15-SP4 / Cadence
This is an autogenerated message for OBS integration: This bug (1213983) was mentioned in https://build.opensuse.org/request/show/1109233 Backports:SLE-15-SP5 / Cadence
Thanks for the updates! Publishing this bug as a reference; I will request a CVE from Mitre for this issue.
openSUSE-RU-2023:0258-1: An update that has three recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1213330,1213983,1213985 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): Cadence-0.9.2-bp155.2.3.1
openSUSE-SU-2023:0270-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1213330,1213983,1213985 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): Cadence-0.9.1-bp154.2.3.1
All fixed and published. Closing bug report.