Fixed directory names in public temporary directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Inkscape |
Invalid
|
High
|
Unassigned | ||
inkscape (Debian) |
Fix Released
|
Unknown
|
Bug Description
Originally reported in https:/
when i use "File»Import Clip Art…", inkscape creates the following
tree of directories with fixed names:
0 dkg@alice:~$ find $TMPDIR/openclipart -ls
3043836 0 drwxr-xr-x 4 dkg dkg 80 Jan 16 10:33 /home/dkg/
3043838 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33 /home/dkg/
3043837 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33 /home/dkg/
0 dkg@alice:~$
if $TMPDIR is unset, this happens in the globally-fixed name /tmp/openclipart
I've tried having one user account ("attacker") create
/tmp/openclipart as a symlink to somewhere inside another user
("victim")'s home directory. when the victim user opens inkscape and
chooses "File»Import Clip Art…" it creates the arbitrarily-named
directories "images" and "thumbnails" on their behalf.
This abuse of fixed names in /tmp is a security issue.
I can reproduce it with 1.0alpha.
information type: | Private Security → Public Security |
Changed in inkscape (Debian): | |
status: | Unknown → Confirmed |
Changed in inkscape: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: bug-migration |
Changed in inkscape (Debian): | |
status: | Confirmed → Fix Released |
Hi - thanks for reporting this bug, I've manually migrated it to Inkscape's new
bug tracker on GitLab, and closed it here.
Please feel free to file new bugs about the issues you're seeing at inkscape. org/report.
http://
Moved to: https:/ /gitlab. com/inkscape/ inbox/issues/ 263 /gitlab. com/doctormo
Closed by: https:/