Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package Cadence for openSUSE:Factory checked in at 2023-09-06 18:59:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/Cadence (Old) and /work/SRC/openSUSE:Factory/.Cadence.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Cadence" Wed Sep 6 18:59:48 2023 rev:3 rq:1109239 version:0.9.2 Changes: -------- --- /work/SRC/openSUSE:Factory/Cadence/Cadence.changes 2022-10-03 13:47:36.125724293 +0200 +++ /work/SRC/openSUSE:Factory/.Cadence.new.1766/Cadence.changes 2023-09-06 19:04:09.616321376 +0200 @@ -1,0 +2,8 @@ +Wed Sep 6 08:24:14 UTC 2023 - Simon Lees <[email protected]> + +- Fix security bugs related to use of Fixed Temporary Files. + (bsc#1213330, bsc#1213983, bsc#1213985) + * 0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch + * 0001-cadence.py-wine-ASIO-settings-use-safe-tempfile.patch + +------------------------------------------------------------------- New: ---- 0001-cadence.py-wine-ASIO-settings-use-safe-tempfile.patch 0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Cadence.spec ++++++ --- /var/tmp/diff_new_pack.DqC7EG/_old 2023-09-06 19:04:11.004370858 +0200 +++ /var/tmp/diff_new_pack.DqC7EG/_new 2023-09-06 19:04:11.008371000 +0200 @@ -1,7 +1,7 @@ # # spec file for package Cadence # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ Group: Productivity/Multimedia/Sound/Utilities URL: https://kx.studio/Applications:Cadence Source: https://github.com/falkTX/Cadence/archive/v%{version}/%{name}-%{version}.tar.gz +Patch1: 0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch +Patch2: 0001-cadence.py-wine-ASIO-settings-use-safe-tempfile.patch BuildRequires: alsa-devel BuildRequires: dbus-1-python3-devel BuildRequires: libjack-devel @@ -54,7 +56,7 @@ Some of these also have sub-tools, such as Cadence-JackMeter and Claudia-Launcher. %prep -%setup -q -n Cadence-%{version} +%autosetup -p1 -n Cadence-%{version} %build export CXXFLAGS="%{optflags}" ++++++ 0001-cadence.py-wine-ASIO-settings-use-safe-tempfile.patch ++++++ >From 3fdff274c40795ad6a24891066358aa7a3953962 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <[email protected]> Date: Tue, 22 Aug 2023 14:28:33 +0200 Subject: [PATCH] cadence.py: wine ASIO settings: use safe tempfile This fixed tempfile path poses a security issue that even might allow other users on the system to inject arbitrary wine registry settings, if protect_symlinks and protect_regular kernel protection is not enabled. Use a proper NamedTemporaryFile to pass the data to regedit to fix this. --- src/cadence.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/cadence.py b/src/cadence.py index 714e2d6..fddadfb 100755 --- a/src/cadence.py +++ b/src/cadence.py @@ -47,6 +47,8 @@ from shared_settings import * # Import getoutput from subprocess import getoutput +import tempfile +import subprocess # ------------------------------------------------------------------------------------------------------------ # Try Import DBus @@ -2095,11 +2097,10 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW): REGFILE += '"Number of outputs"=dword:000000%s\n' % smartHex(self.sb_wineasio_outs.value(), 2) REGFILE += '"Preferred buffersize"=dword:0000%s\n' % smartHex(int(self.cb_wineasio_bsizes.currentText()), 4) - writeFile = open("/tmp/cadence-wineasio.reg", "w") - writeFile.write(REGFILE) - writeFile.close() - - os.system("regedit /tmp/cadence-wineasio.reg") + with tempfile.NamedTemporaryFile('w') as tmpfile: + tmpfile.write(REGFILE) + tmpfile.flush() + subprocess.run(["regedit", tmpfile.name]) self.settings_changed_types = [] self.frame_tweaks_settings.setVisible(False) -- 2.41.0 ++++++ 0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch ++++++ >From 986a26147fa85fc3b2727a13c478b12994555e4a Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <[email protected]> Date: Tue, 22 Aug 2023 14:06:40 +0200 Subject: [PATCH] cadence_aloop_daemon: place lockfile into non-public directory The fixed /tmp path for the lock / shutdown handling of the daemon is problematic security wise, since any other user in the system can block this path. This also makes parallel instances for multiple user accounts impossible. Select a location in the user's /run directory or in its home directory (as a fallback). --- src/cadence.py | 3 ++- src/cadence_aloop_daemon.py | 5 +++-- src/shared.py | 8 ++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/cadence.py b/src/cadence.py index 87a14a8..714e2d6 100755 --- a/src/cadence.py +++ b/src/cadence.py @@ -38,6 +38,7 @@ import ui_cadence_tb_alsa import ui_cadence_tb_a2j import ui_cadence_tb_pa import ui_cadence_rwait +from shared import getDaemonLockfile from shared_cadence import * from shared_canvasjack import * from shared_settings import * @@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW): @pyqtSlot() def slot_AlsaBridgeStop(self): - checkFile = "/tmp/.cadence-aloop-daemon.x" + checkFile = self.getDaemonLockfile("cadence-aloop-daemon") if os.path.exists(checkFile): os.remove(checkFile) diff --git a/src/cadence_aloop_daemon.py b/src/cadence_aloop_daemon.py index c8408ef..b53f64d 100755 --- a/src/cadence_aloop_daemon.py +++ b/src/cadence_aloop_daemon.py @@ -33,6 +33,7 @@ else: # Imports (Custom Stuff) import jacklib +from shared import getDaemonLockfile # -------------------------------------------------- # Auto re-activate if on good kernel @@ -50,7 +51,7 @@ doRunNow = True useZita = False procIn = QProcess() procOut = QProcess() -checkFile = "/tmp/.cadence-aloop-daemon.x" +checkFile = getDaemonLockfile("cadence-aloop-daemon") # -------------------------------------------------- # Global JACK variables @@ -161,7 +162,7 @@ if __name__ == '__main__': client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None) if not client: - print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it") + print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile)) quit() if jacklib.JACK2: diff --git a/src/shared.py b/src/shared.py index 2df4d54..e65d292 100644 --- a/src/shared.py +++ b/src/shared.py @@ -312,3 +312,11 @@ def setIcons(self_, modes): if "misc" in modes: gGui.ui.act_quit.setIcon(getIcon("application-exit")) gGui.ui.act_configure.setIcon(getIcon("configure")) + +def getDaemonLockfile(base): + lockdir = os.environ.get("XDG_RUNTIME_DIR", None) + if not lockdir: + lockdir = os.path.expanduser("~") + + return os.path.join(lockdir, "{}-lock".format(base)) + -- 2.41.0
