1217595 – (CVE-2023-49342) VUL-0: CVE-2023-49342: budgie-extras: budgie-clockworks: uses fixed temporary files in /tmp/<user>_clockworks

Bug 1217595 (CVE-2023-49342) - VUL-0: CVE-2023-49342: budgie-extras: budgie-clockworks: uses fixed temporary files in /tmp/<user>_clockworks

Summary: VUL-0: CVE-2023-49342: budgie-extras: budgie-clockworks: uses fixed temporary...

Status:	IN_PROGRESS

Alias:	CVE-2023-49342

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Audits (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1216279
	Show dependency tree / graph

Clone This Bug

Reported:	2023-11-28 14:58 UTC by Matthias Gerstner
Modified:	2024-03-08 13:32 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
upstream patch (1.21 KB, text/x-diff) 2023-12-04 11:57 UTC, Matthias Gerstner	Details
upstream patch (1.01 KB, text/x-diff) 2023-12-04 11:57 UTC, Matthias Gerstner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2023-11-28 14:58:21 UTC

+++ This bug was initially created as a clone of Bug #1213341

Upstream informed us that the budgie-clockworks tool also contains a fixed
/tmp file usage that escape my previous review efforts.

It is found in cwtools.py, a directory is created in /tmp/<user>_clockworks
and reused if it already exists.

I don't know about a publication date yet, but it is supposed to be fixed in
version 1.7.1.

Comment 2 Matthias Gerstner 2023-12-04 11:57:27 UTC

Created attachment 871133 [details]
upstream patch

Comment 3 Matthias Gerstner 2023-12-04 11:57:38 UTC

Created attachment 871134 [details]
upstream patch

Comment 4 Matthias Gerstner 2023-12-04 12:04:09 UTC

Upstream plans to publish the release 1.7.1 on the date mentioned in comment
1. Their suggested patches are found in comments 2 and 3.

Please *don't* publish anything in the build service before we give green
light. You can privately prepare an update using the given patch but it will
likely be simpler to simply use the upstream release once it is public.

Comment 5 Matthias Gerstner 2023-12-14 09:36:43 UTC

This is now public via the 1.7.1 upstream release: https://github.com/UbuntuBudgie/budgie-extras/releases/tag/v1.7.1. Please package the new version and submit to all maintained OBS codestreams.

Comment 6 OBSbugzilla Bot 2023-12-14 15:35:07 UTC

This is an autogenerated message for OBS integration:
This bug (1217595) was mentioned in
https://build.opensuse.org/request/show/1133097 Factory / budgie-extras

Comment 7 Callum Farmer 2024-03-08 13:32:40 UTC

complete