StateSaver serializes potentially sensitive data under /tmp, doesn’t use O_EXCL

from modules/Ubuntu/Components/plugin/statesaverbackend_p.cpp:

    m_archive = new QSettings(QString("%1/%2.state")
                              .arg(QStandardPaths::standardLocations(QStandardPaths::TempLocation)[0])
                              .arg(applicationName), QSettings::NativeFormat);

QStandardPaths::TempLocation is /tmp by default.

This gets CVE-2014-1420

Yes, the temp folder has been used until we get a proper path for it. Seems we can use XDG_RUNTIME_DIR i.e. QStandardPaths::RuntimeLocation for it as it will be cleared on reboot same way as /tmp is.

I'm afraid we are not gonna be able to fix this for Trusty, only for Utopic. We have been asked not to back port toolkit to Trusty.

Then the status should probably be "Won’t Fix", not "Invalid".

I'm sorry, Olivier, I cannot set it to "Won't fix". It doesn't let me do that.

Not fixing this for trusty is not an option. This package is in the main pocket, which means it is officially supported for the life of the LTS release, including security updates.

If someone can confirm that the fix in the merge request above also applies to Trusty, the security team can push out the fix.

Fix committed into lp:~ubuntu-sdk-team/ubuntu-ui-toolkit/staging at revision None, scheduled for release in ubuntu-ui-toolkit, milestone Unknown

Marc, as you said, Trusty has this, and therefore the fix also applies to Trusty too.

This was fixed in ubuntu-ui-toolkit (1.1.1188+14.10.20140813.4-0ubuntu1)
by http://bazaar.launchpad.net/~ubuntu-sdk-team/ubuntu-ui-toolkit/staging/revision/1182