Bugzilla – Bug 1216282
VUL-0: CVE-2023-49346: budgie-extras: budgie-weathershow: use of fixed path in /tmp/<username>_weatherdata
Last modified: 2024-03-08 13:32:40 UTC
I have just sent this report to upstream: 4.1) /tmp/<username>_weatherdata -------------------------------- In "src/weathershow/WeatherShow.vala" line 354 the current "weather data" is written to this location. Before this an attempt is made to delete an already existing file. Errors for both, deletion and creation of the file, are ignored unconditionally. In "src/weathershow/WeatherShow.vala" line 236 the content from this file is read and interpreted for updating GUI window data. A local attacker can pre-create this file and thus manipulate the data displayed by the weather applet. Also a denial-of-service will be possible e.g. by placing a FIFO there.
Please treat this information privately until we hear back from upstream. This means also not submitting anything about this in OBS for the time being.
This is an embargoed bug. This means that this information is not public. Please do NOT: - talk to other people about this unless they're involved in fixing the issue - make this bug public - submit this into OBS (e.g. fix Leap/Tumbleweed) until this bug becomes public. This means that the security team removed the EMBARGOED tag from the bug title after we verified that there's already information about this bug publicly available. If you find such information yourself and the bug is still embargoed please contact us Your primary responsibility is to apply a fix for this issue. Here is some guidance on openSUSE package maintenance: - https://en.opensuse.org/openSUSE:Package_maintenance - https://en.opensuse.org/openSUSE:Maintenance_update_process You need to submit AFTER the bug became public, to the current openSUSE Leap codestreams, and to the devel project of your package. The security team will then take the following steps: - We wait for your submission and package them into an incident for QA testing. The QA tester might reach out to you if they find issues with the update. - If QA doesn't find any issues, we publish the updates. You can contact us at: * IRC: irc.suse.de #security * Do NOT use Slack or any non-SUSE hosted messaging services * Email: security-team@suse.de
Upstream agrees to follow coordinates disclosure and they aim to release an update by the end of the year. I will update once there is a more concrete date or patches available.
We got this CVE communicated by upstream, the fix will be in release 1.7.1, but I don't have a publication date yet.
Created attachment 871132 [details] upstream patch
Upstream plans to publish the release 1.7.1 on the date mentioned in comment 6. Their suggested patch is found in comment 7. Please *don't* publish anything in the build service before we give green light. You can privately prepare an update using the given patch but it will likely be simpler to simply use the upstream release once it is public.
This is now public via the 1.7.1 upstream release: https://github.com/UbuntuBudgie/budgie-extras/releases/tag/v1.7.1. Please package the new version and submit to all maintained OBS codestreams.
This is an autogenerated message for OBS integration: This bug (1216282) was mentioned in https://build.opensuse.org/request/show/1133097 Factory / budgie-extras
complete