Your message dated Mon, 23 Sep 2019 14:45:41 +0200
with message-id <[email protected]>
and subject line Fixed in tuxpaint 1:0.9.23-1
has caused the Debian Bug report #914044,
regarding HOME=/tmp kbuildsycoca5 is bad
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
914044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914044
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tuxpaint
Version: 1:0.9.23-1
Severity: important
Tags: security
tuxpaint runs "HOME=/tmp kbuildsycoca5" during build. I'm not exactly
sure what this does, but I see a number of issues with doing so:
* kbuildsycoca5 reads /tmp/.config/QtProject/qtlogging.ini. I'm not
sure whether that can be turned into a privilege escalation.
* kbuildsycoca5 reads various locales from /tmp. Again I'm not sure
whether malicious locales could be used to take over the process.
* kbuildsycoca5 tries to create a directory /tmp/.cache. If that
location is occupied with a regular file, the build fails (FTBFS).
* kbuildsycoca5 reads /tmp/.config/kbuildsycoca5rc.
This looks like plenty of surface and the chances that this code is
fully covered against that scenario are dim. It seems very likely, that
a privilege escalation is underneath. Using HOME=/tmp looks like a
recipe for desaster.
I question the need to call this at all during a package build.
kbuildsycoca5 is meant to modify a per-user cache, but that cache is not
installed into the binary package. Possibly removing the command is the
simplest fix.
Helmut
--- End Message ---
--- Begin Message ---
X-CrossAssassin-Score: 11301
--- End Message ---
