| 2023-11-23 12:51:59 |
fossfreedom |
bug |
|
|
added bug |
| 2023-11-23 13:11:24 |
fossfreedom |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-11-23 13:11:24 |
fossfreedom |
bug task added |
|
budgie-extras (Ubuntu Mantic) |
|
| 2023-11-23 13:11:24 |
fossfreedom |
nominated for series |
|
Ubuntu Lunar |
|
| 2023-11-23 13:11:24 |
fossfreedom |
bug task added |
|
budgie-extras (Ubuntu Lunar) |
|
| 2023-11-23 13:11:24 |
fossfreedom |
nominated for series |
|
Ubuntu Noble |
|
| 2023-11-23 13:11:24 |
fossfreedom |
bug task added |
|
budgie-extras (Ubuntu Noble) |
|
| 2023-11-23 13:11:24 |
fossfreedom |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-11-23 13:11:24 |
fossfreedom |
bug task added |
|
budgie-extras (Ubuntu Jammy) |
|
| 2023-11-23 13:11:36 |
fossfreedom |
budgie-extras (Ubuntu Noble): assignee |
|
fossfreedom (fossfreedom) |
|
| 2023-11-23 13:11:41 |
fossfreedom |
budgie-extras (Ubuntu Noble): importance |
Undecided |
High |
|
| 2023-11-23 13:11:46 |
fossfreedom |
budgie-extras (Ubuntu Mantic): importance |
Undecided |
High |
|
| 2023-11-23 13:11:49 |
fossfreedom |
budgie-extras (Ubuntu Lunar): importance |
Undecided |
High |
|
| 2023-11-23 13:11:52 |
fossfreedom |
budgie-extras (Ubuntu Jammy): importance |
Undecided |
High |
|
| 2023-11-23 13:13:29 |
fossfreedom |
description |
Tracking bug report
DRAFT TO BE COMPLETED
[ Impact ]
* The Ubuntu Budgie team have been notified of several issues that
require CVE's to be assigned to the budgie-extras package in mantic.
budgie-extras is specific to the budgie-desktop and is in the universe
repo. No other flavours use this package.
The recommendation from the opensuse security team is for one CVE per
binary. The report details 4 potential CVEs. Analysis by the UB team have determined a further two CVEs are warranted since the issues identified apply to two further binaries.
Thus a total of 6 CVEs.
All the CVEs are based around a similar issue - usage of temporary
files in /tmp which are easily guessable for a system with two or more
users - one user could in theory craft temporary files that would
impact another user of these budgie based binaries.
[ Test Plan ]
* Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing capabilities works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.
Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
#!/bin/bash
monitor_path="$1"
inotifywait -m "$monitor_path" -e create -e moved_to |
while read path action file; do
echo "The file '$file' appeared in directory '$path' via '$action'"
ls -la "$path/$file"
done
i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME
1. From budgie desktop settings add one of the affected applets:
budgie-takeabreak
budgie-dropby
budgie-clockworks
budgie-weathershow
2a. For takeabreak enable a takeabreak action.
2b. For dropby, insert a USB stick and mount the stick
2c. For clockworks create another clock
2d. For weathershow - change to another location and open the popup to show the weather
3.
For all of the above examine the tilix sessions. Session 1 should not show temporary files being written in /tmp. Note you will see other temporary files for the operating system in general but that should be expected
Session 2 for UB should show files being written.
Session 3 for UB should not show any screenshot files being written. This is as expected because UB should not normally use the fallback folder.
4. Repeat for the other applets
5. Repeat but enable budgie window previews by the menu application (search for previews)
6. Repeat but enable budgie window shuffler by the menu application (search for shuffler)
[ Where problems could occur ]
* The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. a specific applet or budgie application (window previews/window shuffler)
* If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the applet/budgie application will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback each applet/budgie application requires
[ Other Info ]
* The budgie team have tested the above for jammy, lunar and mantic.
The testing involves applying the debdiff's for each series and building via sbuild. The applet/application binaries have then been installed via sudo apt install ./appletapplication.deb |
Tracking bug report
DRAFT TO BE COMPLETED
[ Impact ]
* The Ubuntu Budgie team have been notified of several issues that
require CVE's to be assigned to the budgie-extras package in mantic.
budgie-extras is specific to the budgie-desktop and is in the universe
repo. No other flavours use this package.
The recommendation from the opensuse security team is for one CVE per
binary. The report details 4 potential CVEs. Analysis by the UB team have determined a further two CVEs are warranted since the issues identified apply to two further binaries.
Thus a total of 6 CVEs.
All the CVEs are based around a similar issue - usage of temporary
files in /tmp which are easily guessable for a system with two or more
users - one user could in theory craft temporary files that would
impact another user of these budgie based binaries.
[ Test Plan ]
* Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing capabilities works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.
Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
#!/bin/bash
monitor_path="$1"
inotifywait -m "$monitor_path" -e create -e moved_to |
while read path action file; do
echo "The file '$file' appeared in directory '$path' via '$action'"
ls -la "$path/$file"
done
i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME
1. From budgie desktop settings add one of the affected applets:
budgie-takeabreak
budgie-dropby
budgie-clockworks
budgie-weathershow
2a. For takeabreak enable a takeabreak action.
2b. For dropby, insert a USB stick and mount the stick
2c. For clockworks create another clock
2d. For weathershow - change to another location and open the popup to show the weather
3.
For all of the above examine the tilix sessions. Session 1 should not show temporary files being written in /tmp. Note you will see other temporary files for the operating system in general but that should be expected
Session 2 for UB should show files being written.
Session 3 for UB should not show any screenshot files being written. This is as expected because UB should not normally use the fallback folder.
4. Repeat for the other applets
5. Repeat but enable budgie window previews by the menu application (search for previews)
6. Repeat but enable budgie window shuffler by the menu application (search for shuffler)
[ Where problems could occur ]
* The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. a specific applet or budgie application (window previews/window shuffler)
* If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the applet/budgie application will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback each applet/budgie application requires
[ Other Info ]
* The budgie team have tested the above for jammy, lunar and mantic.
The testing involves applying the debdiff's for each series and building via sbuild. The applet/application binaries have then been installed via sudo apt install ./appletapplication.deb
* For noble there will be a version bump from github - v1.7.1 that has been/will be uploaded first to Debian unstable before sync'ing to noble. |
|
| 2023-11-23 14:40:51 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49342 |
|
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49343 |
|
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49344 |
|
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49345 |
|
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49346 |
|
| 2023-11-27 03:37:20 |
Mark Esler |
cve linked |
|
2023-49347 |
|
| 2023-11-27 03:46:46 |
Mark Esler |
bug |
|
|
added subscriber Mark Esler |
| 2023-11-27 03:47:00 |
Mark Esler |
bug |
|
|
added subscriber Nishit Majithia |
| 2023-11-29 22:17:28 |
fossfreedom |
attachment added |
|
jammy.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724835/+files/jammy.debdiff |
|
| 2023-11-29 22:17:57 |
fossfreedom |
attachment added |
|
lunar.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724836/+files/lunar.debdiff |
|
| 2023-11-29 22:18:18 |
fossfreedom |
attachment added |
|
mantic.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724837/+files/mantic.debdiff |
|
| 2023-11-29 22:43:56 |
fossfreedom |
attachment removed |
mantic.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724837/+files/mantic.debdiff |
|
|
| 2023-11-29 22:44:03 |
fossfreedom |
attachment removed |
lunar.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724836/+files/lunar.debdiff |
|
|
| 2023-11-29 22:44:10 |
fossfreedom |
attachment removed |
jammy.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724835/+files/jammy.debdiff |
|
|
| 2023-11-29 22:56:45 |
fossfreedom |
attachment added |
|
jammy.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724838/+files/jammy.debdiff |
|
| 2023-11-29 22:57:27 |
fossfreedom |
attachment added |
|
lunar.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724839/+files/lunar.debdiff |
|
| 2023-11-29 22:58:16 |
fossfreedom |
attachment added |
|
mantic.debdiff https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+attachment/5724840/+files/mantic.debdiff |
|
| 2023-12-07 19:20:19 |
Leonidas S. Barbosa |
budgie-extras (Ubuntu Jammy): assignee |
|
Leonidas S. Barbosa (leosilvab) |
|
| 2023-12-07 19:20:20 |
Leonidas S. Barbosa |
budgie-extras (Ubuntu Lunar): assignee |
|
Leonidas S. Barbosa (leosilvab) |
|
| 2023-12-07 19:20:22 |
Leonidas S. Barbosa |
budgie-extras (Ubuntu Mantic): assignee |
|
Leonidas S. Barbosa (leosilvab) |
|
| 2023-12-14 14:29:05 |
Launchpad Janitor |
budgie-extras (Ubuntu Noble): status |
New |
Fix Released |
|
| 2023-12-14 16:05:19 |
Launchpad Janitor |
budgie-extras (Ubuntu Mantic): status |
New |
Fix Released |
|
| 2023-12-14 16:05:21 |
Launchpad Janitor |
budgie-extras (Ubuntu Jammy): status |
New |
Fix Released |
|
| 2023-12-14 16:43:34 |
Launchpad Janitor |
budgie-extras (Ubuntu Lunar): status |
New |
Fix Released |
|
| 2023-12-14 21:53:16 |
Mark Esler |
information type |
Private Security |
Public Security |
|
