1217597 – (CVE-2023-49343) VUL-0: CVE-2023-49343: budgie-extras: budgie-dropby: use of fixed paths in /tmp/<user>_call_dropby and /tmp/<user>_dropby_icon_copy

Bug 1217597 (CVE-2023-49343) - VUL-0: CVE-2023-49343: budgie-extras: budgie-dropby: use of fixed paths in /tmp/<user>_call_dropby and /tmp/<user>_dropby_icon_copy

Summary: VUL-0: CVE-2023-49343: budgie-extras: budgie-dropby: use of fixed paths in /t...

Status:	IN_PROGRESS

Alias:	CVE-2023-49343

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Audits (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1216279
	Show dependency tree / graph

Clone This Bug

Reported:	2023-11-28 15:07 UTC by Matthias Gerstner
Modified:	2024-03-08 13:32 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
upstream patch (4.00 KB, text/x-diff) 2023-12-04 11:57 UTC, Matthias Gerstner	Details
upstream patch (3.04 KB, text/x-diff) 2023-12-04 11:58 UTC, Matthias Gerstner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2023-11-28 15:07:25 UTC

+++ This bug was initially created as a clone of Bug #1213341

Upstream informed us about this additional fixed /tmp path vulnerability in
the budgie-dropby component of budgie-extras. It is supposed to be fixed in
upstream release 1.7.1. I don't know of a publication date yet.

In `dropover` the following paths are used:

    /tmp/<user>_keepdropbywin
    
    This path seems only to be used for a regular file, so following symlinks
    would be a problem without symlink protection.

    /tmp/<user>_call_dropby

    This is used as a "trigger" file to cause the program to refresh
    information. So anybody in the system could trigger this.

    The file is normally created from `budgie_dropby.py` which would follow
    symlinks here without symlink protection.

In `copy_flash` the path "/tmp/<user>_dropby_icon_copy" is used as a trigger
file. It is only created here. Would follow symlinks without symlink
protection. It is monitored in `budgie_dropby.py` and upon its creation a
refresh is performed and possibly the GUI interface is popped up.

Comment 2 Matthias Gerstner 2023-12-04 11:57:57 UTC

Created attachment 871135 [details]
upstream patch

Comment 3 Matthias Gerstner 2023-12-04 11:58:01 UTC

Created attachment 871136 [details]
upstream patch

Comment 4 Matthias Gerstner 2023-12-04 12:04:32 UTC

Upstream plans to publish the release 1.7.1 on the date mentioned in comment
1. Their suggested patch are found in comments 2 and 3.

Please *don't* publish anything in the build service before we give green
light. You can privately prepare an update using the given patch but it will
likely be simpler to simply use the upstream release once it is public.

Comment 5 Matthias Gerstner 2023-12-14 09:36:49 UTC

This is now public via the 1.7.1 upstream release: https://github.com/UbuntuBudgie/budgie-extras/releases/tag/v1.7.1. Please package the new version and submit to all maintained OBS codestreams.

Comment 6 OBSbugzilla Bot 2023-12-14 15:35:08 UTC

This is an autogenerated message for OBS integration:
This bug (1217597) was mentioned in
https://build.opensuse.org/request/show/1133097 Factory / budgie-extras

Comment 7 Callum Farmer 2024-03-08 13:32:40 UTC

complete