DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Fix Released
|
Medium
|
Michael Vogt |
Bug Description
The DistUpgradeViewKDE class performs a copy of "the xauthority file before it removes it when Adept is killed".
However, when it does this it uses the tempfile.mktemp function (which is insecure) when it (IMHO) should be using the tempfile.mkstemp function (secure).
The vulnerable code is the following:
#kdesu requires us to copy the xauthority file before it removes it when Adept is killed
copyXauth = tempfile.mktemp("", "adept")
if 'XAUTHORITY' in os.environ and os.environ[
<--- so if can attacker can win the race between the mktemp call to create a ~random file-name and before shutil.copy is called (if XAUTHORITY is in the user's environment and the tempfile isn't the same as the current XAUTHORITY file) they can obtain the contents of the user's XAUTHORITY file. (shutil.copy ends up writing to the destination file before copying over the permissions on the file, if this order was reversed then it probably wouldn't be vulnerable :-) ).
visibility: | private → public |
Michael, could you please take a look at this? Thanks