CVEs to resolve multi-user accessibility of multiple extras applets and applications
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
budgie-extras (Ubuntu) |
Fix Released
|
High
|
fossfreedom | ||
Jammy |
Fix Released
|
High
|
Leonidas S. Barbosa | ||
Lunar |
Fix Released
|
High
|
Leonidas S. Barbosa | ||
Mantic |
Fix Released
|
High
|
Leonidas S. Barbosa | ||
Noble |
Fix Released
|
High
|
fossfreedom |
Bug Description
Tracking bug report
DRAFT TO BE COMPLETED
[ Impact ]
* The Ubuntu Budgie team have been notified of several issues that
require CVE's to be assigned to the budgie-extras package in mantic.
budgie-extras is specific to the budgie-desktop and is in the universe
repo. No other flavours use this package.
The recommendation from the opensuse security team is for one CVE per
binary. The report details 4 potential CVEs. Analysis by the UB team have determined a further two CVEs are warranted since the issues identified apply to two further binaries.
Thus a total of 6 CVEs.
All the CVEs are based around a similar issue - usage of temporary
files in /tmp which are easily guessable for a system with two or more
users - one user could in theory craft temporary files that would
impact another user of these budgie based binaries.
[ Test Plan ]
* Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing capabilities works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.
Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
#!/bin/bash
monitor_path="$1"
inotifywait -m "$monitor_path" -e create -e moved_to |
while read path action file; do
echo "The file '$file' appeared in directory '$path' via '$action'"
ls -la "$path/$file"
done
i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME
1. From budgie desktop settings add one of the affected applets:
budgie-takeabreak
budgie-dropby
budgie-clockworks
budgie-weathershow
2a. For takeabreak enable a takeabreak action.
2b. For dropby, insert a USB stick and mount the stick
2c. For clockworks create another clock
2d. For weathershow - change to another location and open the popup to show the weather
3.
For all of the above examine the tilix sessions. Session 1 should not show temporary files being written in /tmp. Note you will see other temporary files for the operating system in general but that should be expected
Session 2 for UB should show files being written.
Session 3 for UB should not show any screenshot files being written. This is as expected because UB should not normally use the fallback folder.
4. Repeat for the other applets
5. Repeat but enable budgie window previews by the menu application (search for previews)
6. Repeat but enable budgie window shuffler by the menu application (search for shuffler)
[ Where problems could occur ]
* The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. a specific applet or budgie application (window previews/window shuffler)
* If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the applet/budgie application will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback each applet/budgie application requires
[ Other Info ]
* The budgie team have tested the above for jammy, lunar and mantic.
The testing involves applying the debdiff's for each series and building via sbuild. The applet/application binaries have then been installed via sudo apt install ./appletapplica
* For noble there will be a version bump from github - v1.7.1 that has been/will be uploaded first to Debian unstable before sync'ing to noble.
CVE References
Changed in budgie-extras (Ubuntu Noble): | |
assignee: | nobody → fossfreedom (fossfreedom) |
importance: | Undecided → High |
Changed in budgie-extras (Ubuntu Mantic): | |
importance: | Undecided → High |
Changed in budgie-extras (Ubuntu Lunar): | |
importance: | Undecided → High |
Changed in budgie-extras (Ubuntu Jammy): | |
importance: | Undecided → High |
description: | updated |
Thank you David!
Please refer to these vulnerabilities as:
CVE-2023-49342 for the clockworks applet
CVE-2023-49343 for the dropby applet
CVE-2023-49344 for the shuffler applet
CVE-2023-49345 for the takeabreak applet
CVE-2023-49346 for the weathershow applet
CVE-2023-49347 for the window previews applet
When a coordinated release date is chosen, please add it to this bug report.