Comment 0 for bug 2044373

Tracking bug report

DRAFT TO BE COMPLETED

[ Impact ]

 * The Ubuntu Budgie team have been notified of several issues that
require CVE's to be assigned to the budgie-extras package in mantic.
budgie-extras is specific to the budgie-desktop and is in the universe
repo. No other flavours use this package.

The recommendation from the opensuse security team is for one CVE per
binary. The report details 4 potential CVEs. Analysis by the UB team have determined a further two CVEs are warranted since the issues identified apply to two further binaries.

Thus a total of 6 CVEs.

All the CVEs are based around a similar issue - usage of temporary
files in /tmp which are easily guessable for a system with two or more
users - one user could in theory craft temporary files that would
impact another user of these budgie based binaries.

[ Test Plan ]

 * Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing capabilities works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.

Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:

#!/bin/bash

monitor_path="$1"

inotifywait -m "$monitor_path" -e create -e moved_to |
    while read path action file; do
        echo "The file '$file' appeared in directory '$path' via '$action'"
        ls -la "$path/$file"
    done

i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME

 1. From budgie desktop settings add one of the affected applets:
budgie-takeabreak
budgie-dropby
budgie-clockworks
budgie-weathershow

 2a. For takeabreak enable a takeabreak action.
 2b. For dropby, insert a USB stick and mount the stick
 2c. For clockworks create another clock
 2d. For weathershow - change to another location and open the popup to show the weather
 3.
For all of the above examine the tilix sessions. Session 1 should not show temporary files being written in /tmp. Note you will see other temporary files for the operating system in general but that should be expected

Session 2 for UB should show files being written.

Session 3 for UB should not show any screenshot files being written. This is as expected because UB should not normally use the fallback folder.
  4. Repeat for the other applets
  5. Repeat but enable budgie window previews by the menu application (search for previews)
  6. Repeat but enable budgie window shuffler by the menu application (search for shuffler)

[ Where problems could occur ]

 * The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. a specific applet or budgie application (window previews/window shuffler)
 * If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the applet/budgie application will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback each applet/budgie application requires

[ Other Info ]

 * The budgie team have tested the above for jammy, lunar and mantic.
The testing involves applying the debdiff's for each series and building via sbuild. The applet/application binaries have then been installed via sudo apt install ./appletapplication.deb