Ubuntu
budgie-extras package

CVEs to resolve multi-user accessibility of multiple extras applets and applications

Bug #2044373 reported by fossfreedom
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
budgie-extras (Ubuntu)
Fix Released
High
fossfreedom
Jammy
Fix Released
High
Leonidas S. Barbosa
Lunar
Fix Released
High
Leonidas S. Barbosa
Mantic
Fix Released
High
Leonidas S. Barbosa
Noble
Fix Released
High
fossfreedom

Bug Description

Tracking bug report

DRAFT TO BE COMPLETED

[ Impact ]

 * The Ubuntu Budgie team have been notified of several issues that
require CVE's to be assigned to the budgie-extras package in mantic.
budgie-extras is specific to the budgie-desktop and is in the universe
repo. No other flavours use this package.

The recommendation from the opensuse security team is for one CVE per
binary. The report details 4 potential CVEs. Analysis by the UB team have determined a further two CVEs are warranted since the issues identified apply to two further binaries.

Thus a total of 6 CVEs.

All the CVEs are based around a similar issue - usage of temporary
files in /tmp which are easily guessable for a system with two or more
users - one user could in theory craft temporary files that would
impact another user of these budgie based binaries.

[ Test Plan ]

 * Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing capabilities works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.

Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:

#!/bin/bash

monitor_path="$1"

inotifywait -m "$monitor_path" -e create -e moved_to |
    while read path action file; do
        echo "The file '$file' appeared in directory '$path' via '$action'"
        ls -la "$path/$file"
    done

i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME

 1. From budgie desktop settings add one of the affected applets:
budgie-takeabreak
budgie-dropby
budgie-clockworks
budgie-weathershow

 2a. For takeabreak enable a takeabreak action.
 2b. For dropby, insert a USB stick and mount the stick
 2c. For clockworks create another clock
 2d. For weathershow - change to another location and open the popup to show the weather
 3.
For all of the above examine the tilix sessions. Session 1 should not show temporary files being written in /tmp. Note you will see other temporary files for the operating system in general but that should be expected

Session 2 for UB should show files being written.

Session 3 for UB should not show any screenshot files being written. This is as expected because UB should not normally use the fallback folder.
  4. Repeat for the other applets
  5. Repeat but enable budgie window previews by the menu application (search for previews)
  6. Repeat but enable budgie window shuffler by the menu application (search for shuffler)

[ Where problems could occur ]

 * The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. a specific applet or budgie application (window previews/window shuffler)
 * If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the applet/budgie application will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback each applet/budgie application requires

[ Other Info ]

 * The budgie team have tested the above for jammy, lunar and mantic.
The testing involves applying the debdiff's for each series and building via sbuild. The applet/application binaries have then been installed via sudo apt install ./appletapplication.deb
 * For noble there will be a version bump from github - v1.7.1 that has been/will be uploaded first to Debian unstable before sync'ing to noble.

See original description
fossfreedom (fossfreedom)
Changed in budgie-extras (Ubuntu Noble):
assignee: nobody → fossfreedom (fossfreedom)
importance: Undecided → High
Changed in budgie-extras (Ubuntu Mantic):
importance: Undecided → High
Changed in budgie-extras (Ubuntu Lunar):
importance: Undecided → High
Changed in budgie-extras (Ubuntu Jammy):
importance: Undecided → High
description: updated
Revision history for this message
Mark Esler (eslerm) wrote :

Thank you David!

Please refer to these vulnerabilities as:
  CVE-2023-49342 for the clockworks applet
  CVE-2023-49343 for the dropby applet
  CVE-2023-49344 for the shuffler applet
  CVE-2023-49345 for the takeabreak applet
  CVE-2023-49346 for the weathershow applet
  CVE-2023-49347 for the window previews applet

When a coordinated release date is chosen, please add it to this bug report.

Revision history for this message
fossfreedom (fossfreedom) wrote :

Mark and Nishit

  debdiff's enclosed for key stable series - jammy, lunar and jammy

Successfully applied via debdiff-apply < series.debdiff in the folder obtained via

pull-lp-source budgie-extras series
cd budgie-extras*

Mark - I'm aware of the upcoming shutdown for xmas. So I'm happy for an early CRD

Thursday 14th Dec would be my preferred date - but if that's too late then I'm content for - say - Friday 8th.

Revision history for this message
fossfreedom (fossfreedom) wrote :

Note - both of you have now access to the draft CVEs on github - https://github.com/UbuntuBudgie/budgie-extras/security/advisories

Revision history for this message
fossfreedom (fossfreedom) wrote :
Revision history for this message
fossfreedom (fossfreedom) wrote :
Revision history for this message
fossfreedom (fossfreedom) wrote :
Revision history for this message
Mark Esler (eslerm) wrote (last edit ):

Thanks David!

Nishit, can you speak to preferred CRD?

Revision history for this message
Nishit Majithia (0xnishit) wrote :

Hi Mark, starting tomorrow, I'll be on holiday break and won't be able to assist in deciding the CRD in this case or publishing the updates.

Revision history for this message
Mark Esler (eslerm) wrote :

Thanks Nishit.

David, can we set the CRD to December 14th?

Revision history for this message
fossfreedom (fossfreedom) wrote : Re: [Bug 2044373] Re: CVEs to resolve multi-user accessibility of multiple extras applets and applications
Download full text (4.7 KiB)

Mark. 14th would be great

David

On Wed, 6 Dec 2023, 17:51 Mark Esler, <email address hidden> wrote:

> Thanks Nishit.
>
> David, can we set the CRD to December 14th?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2044373
>
> Title:
> CVEs to resolve multi-user accessibility of multiple extras applets
> and applications
>
> Status in budgie-extras package in Ubuntu:
> New
> Status in budgie-extras source package in Jammy:
> New
> Status in budgie-extras source package in Lunar:
> New
> Status in budgie-extras source package in Mantic:
> New
> Status in budgie-extras source package in Noble:
> New
>
> Bug description:
> Tracking bug report
>
> DRAFT TO BE COMPLETED
>
> [ Impact ]
>
> * The Ubuntu Budgie team have been notified of several issues that
> require CVE's to be assigned to the budgie-extras package in mantic.
> budgie-extras is specific to the budgie-desktop and is in the universe
> repo. No other flavours use this package.
>
> The recommendation from the opensuse security team is for one CVE per
> binary. The report details 4 potential CVEs. Analysis by the UB team
> have determined a further two CVEs are warranted since the issues
> identified apply to two further binaries.
>
> Thus a total of 6 CVEs.
>
> All the CVEs are based around a similar issue - usage of temporary
> files in /tmp which are easily guessable for a system with two or more
> users - one user could in theory craft temporary files that would
> impact another user of these budgie based binaries.
>
> [ Test Plan ]
>
> * Since this issue has now switched the stored location to user-space
> the test plan needs to:
> a) ensure the existing capabilities works as expected;
> b) verify that /tmp is NOT being used and that the transitory files are
> being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME
> are being used instead.
>
> Use the following notify script (save as ~/notifydir.sh and chmod +x
> ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
>
> #!/bin/bash
>
> monitor_path="$1"
>
> inotifywait -m "$monitor_path" -e create -e moved_to |
> while read path action file; do
> echo "The file '$file' appeared in directory '$path' via
> '$action'"
> ls -la "$path/$file"
> done
>
> i.e. in session 1 run ~/notifydir.sh /tmp
> in session 2 run ~/notifydir.sh $XDG_RUNTIME
> in session 3 run ~/notifydir.sh $HOME
>
> 1. From budgie desktop settings add one of the affected applets:
> budgie-takeabreak
> budgie-dropby
> budgie-clockworks
> budgie-weathershow
>
> 2a. For takeabreak enable a takeabreak action.
> 2b. For dropby, insert a USB stick and mount the stick
> 2c. For clockworks create another clock
> 2d. For weathershow - change to another location and open the popup to
> show the weather
> 3.
> For all of the above examine the tilix sessions. Session 1 should not
> show temporary files being written in /tmp. Note you will see other
> temporary files for the operating system in general but that should be
> expected
>
> Se...

Read more...

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

hello folks, i'll handle the sponsor. lemme know anything extra, thanks!

Changed in budgie-extras (Ubuntu Jammy):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in budgie-extras (Ubuntu Lunar):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in budgie-extras (Ubuntu Mantic):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package budgie-extras - 1.7.1-1

---------------
budgie-extras (1.7.1-1) unstable; urgency=medium

  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for clockworks applet
    (LP: #2044373)
    - d/patches/clockwork-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/clockwork-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49342
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for dropby applet
    (LP: #2044373)
    - d/patches/dropby-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations
      d/patches/dropby-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49343
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for shuffler app
    (LP: #2044373)
    - d/patches/shuffler-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49344
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for takeabreak
    applet (LP: #2044373)
    - d/patches/takeabreak-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/takeabreak-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
      d/patches/takeabreak-tmpxdg-pep8_part2.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49345
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for weathershow
    applet (LP: #2044373)
    - d/patches/weathershow-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49346
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for window
    previews applet (LP: #2044373)
    - d/patches/wpreviews-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49347
  * Drop existing patch since the new release incorporates this

 -- David Mohammed <email address hidden> Sun, 03 Dec 2023 19:11:30 +0000

Changed in budgie-extras (Ubuntu Noble):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package budgie-extras - 1.7.0-3.0ubuntu1

---------------
budgie-extras (1.7.0-3.0ubuntu1) mantic-security; urgency=medium

  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for clockworks applet
    (LP: #2044373)
    - d/patches/clockwork-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/clockwork-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49342
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for dropby applet
    (LP: #2044373)
    - d/patches/dropby-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations
      d/patches/dropby-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49343
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for shuffler app
    (LP: #2044373)
    - d/patches/shuffler-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49344
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for takeabreak
    applet (LP: #2044373)
    - d/patches/takeabreak-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/takeabreak-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
      d/patches/takeabreak-tmpxdg-pep8_part2.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49345
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for weathershow
    applet (LP: #2044373)
    - d/patches/weathershow-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49346
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for window
    previews applet (LP: #2044373)
    - d/patches/wpreviews-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49347

 -- David Mohammed <email address hidden> Tue, 07 Nov 2023 19:03:41 +0000

Changed in budgie-extras (Ubuntu Mantic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package budgie-extras - 1.4.0-1ubuntu3.1

---------------
budgie-extras (1.4.0-1ubuntu3.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for clockworks applet
    (LP: #2044373)
    - d/patches/clockwork-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/clockwork-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49342
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for dropby applet
    (LP: #2044373)
    - d/patches Don-t-hard-code-tmp-in-window-shuffler-422.patch cherry-pick
      patch to allow the security patch to apply
    - d/patches/dropby-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations
      d/patches/dropby-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49343
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for shuffler app
    (LP: #2044373)
    - d/patches/shuffler-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49344
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for takeabreak
    applet (LP: #2044373)
    - d/patches/Don-t-hard-code-tmp-in-takeabreak-422.patch cherry-pick patch
      to allow the security patch to apply
    - d/patches/takeabreak-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/takeabreak-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
      d/patches/takeabreak-tmpxdg-pep8_part2.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49345
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for weathershow
    applet (LP: #2044373)
    - d/patches/Don-t-hard-code-tmp-in-weathershow-422.patch cherry-pick patch
      to allow the security patch to apply
    - d/patches/weathershow-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49346
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for window
    previews applet (LP: #2044373)
    - d/patches Don-t-hard-code-tmp-in-previews-422.patch cherry-pick patch to
      allow the security patch to apply
    - d/patches/wpreviews-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49347

 -- David Mohammed <email address hidden> Tue, 07 Nov 2023 23:29:45 +0000

Changed in budgie-extras (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package budgie-extras - 1.6.0-1ubuntu0.1

---------------
budgie-extras (1.6.0-1ubuntu0.1) lunar-security; urgency=medium

  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for clockworks applet
    (LP: #2044373)
    - d/patches/clockwork-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/clockwork-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49342
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for dropby applet
    (LP: #2044373)
    - d/patches/dropby-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations
      d/patches/dropby-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49343
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for shuffler app
    (LP: #2044373)
    - d/patches/shuffler-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49344
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for takeabreak
    applet (LP: #2044373)
    - d/patches/takeabreak-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
      d/patches/takeabreak-tmpxdg-pep8.patch: resolve pep8
      package test failure, thanks to original author
      d/patches/takeabreak-tmpxdg-pep8_part2.patch: resolve pep8
      package test failure, thanks to original author
    - CVE-2023-49345
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for weathershow
    applet (LP: #2044373)
    - d/patches/weathershow-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49346
  * SECURITY UPDATE: Predictable /tmp path could lead to
    denial-of-service/manipulation of data for window
    previews applet (LP: #2044373)
    - d/patches/wpreviews-tmpxdg.patch: change /tmp path
      usage to use XDG_RUNTIME_DIR/HOME user-space locations,
      thanks to original author
    - CVE-2023-49347

 -- David Mohammed <email address hidden> Tue, 07 Nov 2023 20:35:46 +0000

Changed in budgie-extras (Ubuntu Lunar):
status: New → Fix Released
Revision history for this message
Mark Esler (eslerm) wrote :

Thank you @fossfreedom and everyone involved in addressing these issues \o/

Patches and CVEs are released so I am making this issue public.

I re-assessed all CVEs to the same CVSS. I also removed the suggested mitigation text and user-specific text in the CVE metadata--many applications have access to /tmp/ in addition to other user accounts.

If the reporter for the first two CVEs is added to GHSA, I can update the CVE metadata to attribute them.

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.