Your message dated Tue, 21 May 2024 09:19:11 +0000 with message-id <e1s9lej-008kih...@fasolo.debian.org> and subject line Bug#1070113: fixed in kylin-nm 3.0.3.1-2 has caused the Debian Bug report #1070113, regarding kylin-nm: predictable filenames under /tmp with system() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1070113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: kylin-nm Version: 3.0.3.1-1 Severity: grave Tags: security Justification: user security hole Hi, the kylin_network_get_activecon_info() function in src/kylin-network-interface.c uses predictable filenames under /tmp and invokes system() on it: | activecon *kylin_network_get_activecon_info() | { | struct passwd *pwd; | pwd = getpwuid(getuid()); | char *name = pwd->pw_name; | char *tmpPrefix = "/tmp/kylin-nm-activecon-"; | char *chr = "nmcli connection show -active > "; | | char *cmd; | asprintf(&cmd, "%s%s%s", chr, tmpPrefix, name); | char *path; | asprintf(&path, "%s%s", tmpPrefix, name); | int status = system(cmd); | if (status != 0) | syslog(LOG_ERR, "execute 'nmcli connection show -active' in function 'kylin_network_get_activecon_info' failed"); | free(cmd); Predictable filenames under /tmp and executing system() on it is highly problematic and a potential security issue. It should instead use e.g. mkstemp() and the execl-family of functions or similar. FTR: the same code is present also in ukui-screensaver, which seems to have a copy of the KylinNM source code included. regards -mika-signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: kylin-nm Source-Version: 3.0.3.1-2 Done: handsome_feng <jianfen...@ubuntukylin.com> We believe that the bug you reported is fixed in the latest version of kylin-nm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1070...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. handsome_feng <jianfen...@ubuntukylin.com> (supplier of updated kylin-nm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 21 May 2024 16:53:40 +0800 Source: kylin-nm Architecture: source Version: 3.0.3.1-2 Distribution: unstable Urgency: medium Maintainer: Kylin Team <team+ky...@tracker.debian.org> Changed-By: handsome_feng <jianfen...@ubuntukylin.com> Closes: 1070113 Changes: kylin-nm (3.0.3.1-2) unstable; urgency=medium . * Add patch: fix-security-issue-predictable-filenames-with-system. (Closes: #1070113) Checksums-Sha1: 1e73f987dcf9fda731fc75d109e0dd12a926605c 2104 kylin-nm_3.0.3.1-2.dsc 33113de0280e90426bfe1c4b17e64d85b2ad5b35 329205 kylin-nm_3.0.3.1.orig.tar.gz c3930e7891eb2f668fb1430efea1ba7f06c9cce4 4680 kylin-nm_3.0.3.1-2.debian.tar.xz 24b960db01d4b5de238ebce24ac0865171c8acee 12706 kylin-nm_3.0.3.1-2_source.buildinfo Checksums-Sha256: 47dbbe0c64258dd9909de7d295da45ebfc56d9aabbf2a4c25008147d7aaf92d3 2104 kylin-nm_3.0.3.1-2.dsc 93152fedb61678724b8348c269cb6b670b77f1f5e973d818c3520a441b6a68ad 329205 kylin-nm_3.0.3.1.orig.tar.gz 2272ea8d2768584e137e86dacc47a13661ed7b81abcfd55cea59163e6d6a4ebf 4680 kylin-nm_3.0.3.1-2.debian.tar.xz b9590a26ad653d5921c9d4b3526802642321bbd5064b681c99f3196b6d048cee 12706 kylin-nm_3.0.3.1-2_source.buildinfo Files: 75d1278ed4609f450ee6dbc7a4f8fa97 2104 utils optional kylin-nm_3.0.3.1-2.dsc 3e501e67585da57e28c51d449806bd88 329205 utils optional kylin-nm_3.0.3.1.orig.tar.gz 1d4cf2e972a3a0282acbfa958b9fc368 4680 utils optional kylin-nm_3.0.3.1-2.debian.tar.xz 877dcd8dc01f2b5acad8facde08b02f3 12706 utils optional kylin-nm_3.0.3.1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJPBAEBCAA5FiEEhsgAHpUwnacZWWSCm7hQwBMRHwwFAmZMYckbHGppYW5mZW5n bGlAdWJ1bnR1a3lsaW4uY29tAAoJEJu4UMATER8M16gQAJubcnewwcXt41wAAceI EYYK6E9VrR/R9mtvIDDCdJkMjXCHUdPi0xdgiRwg25c1tpMMZ9dqAt1fGCE1WqOD 8cBXS3Ga4Tc20huf5Jo2cwiD48yBALHP0mstxCD4POk3AX/AWnfiSofZHF4pgtvN rH4ThaLRgoelh4mhQjO51TCehKpRVj16nhQ1Jmj55gyQmpUvBXltCUpzfLihduem JI2XuuJ6rlxf7KxTQgPoG2/pBW07GUEUxX2484AeYQhibjKnkZJJkjGmayJ4Sl/Y hElqkdmfGtXhhjjCeWZ7Lr4TWtNEXyQXrUBpeugpvorcQL8nCi/bxiKmAo2QexaH mVeWQPBWYkngDqeDF07xDhdzZl9DJSc4UhsY18Zr4yZJyukR1q9R7+GmrsS/GmeO IXMw+WDc8/uDN7J4iAl6vDye5bCayruVbb+Zgn9mJ/hOGvvVEhBQbPiiGG5OAg3p l3nvlkzB1n7RX2LaSG3CpCNbc3ekzbJnbUEXOG/3YdKp03oMkAMiQ1RD3+fvXhYa 1Xu6e6P7nCWblW94qfLTsj+p3rWLrvOPmFjU5AisI2cGOQHk8Zb08O3L5FUjlnv1 7mnSSTSo+N/u66eP5GtgXsgZl8VNHixo2DNMhJ8clsWccSN7aDijyAWlJsaOOzIR cP0GWCfpH2QeZiM1lOAtmjy6 =qICt -----END PGP SIGNATURE-----pgpVXCD3WBxDP.pgp
Description: PGP signature
--- End Message ---