Your message dated Fri, 24 May 2024 09:04:05 +0000 with message-id <e1saqql-007ij9...@fasolo.debian.org> and subject line Bug#1071521: fixed in ukui-screensaver 3.0.3.3-2 has caused the Debian Bug report #1071521, regarding ukui-screensaver: predictable filenames under /tmp with system() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1071521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071521 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: kylin-nm Version: 3.0.3.1-1 Severity: grave Tags: security Justification: user security hole Hi, the kylin_network_get_activecon_info() function in src/kylin-network-interface.c uses predictable filenames under /tmp and invokes system() on it: | activecon *kylin_network_get_activecon_info() | { | struct passwd *pwd; | pwd = getpwuid(getuid()); | char *name = pwd->pw_name; | char *tmpPrefix = "/tmp/kylin-nm-activecon-"; | char *chr = "nmcli connection show -active > "; | | char *cmd; | asprintf(&cmd, "%s%s%s", chr, tmpPrefix, name); | char *path; | asprintf(&path, "%s%s", tmpPrefix, name); | int status = system(cmd); | if (status != 0) | syslog(LOG_ERR, "execute 'nmcli connection show -active' in function 'kylin_network_get_activecon_info' failed"); | free(cmd); Predictable filenames under /tmp and executing system() on it is highly problematic and a potential security issue. It should instead use e.g. mkstemp() and the execl-family of functions or similar. FTR: the same code is present also in ukui-screensaver, which seems to have a copy of the KylinNM source code included. regards -mika-
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: ukui-screensaver Source-Version: 3.0.3.3-2 Done: handsome_feng <jianfen...@ubuntukylin.com> We believe that the bug you reported is fixed in the latest version of ukui-screensaver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1071...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. handsome_feng <jianfen...@ubuntukylin.com> (supplier of updated ukui-screensaver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 24 May 2024 16:18:09 +0800 Source: ukui-screensaver Architecture: source Version: 3.0.3.3-2 Distribution: unstable Urgency: medium Maintainer: Kylin Team <team+ky...@tracker.debian.org> Changed-By: handsome_feng <jianfen...@ubuntukylin.com> Closes: 1071521 Changes: ukui-screensaver (3.0.3.3-2) unstable; urgency=medium . * d/patches: fix-security-issue-predictable-filenames-with-system. (Closes: #1071521) Checksums-Sha1: 7d26b8546c0e74d5919a4c71691edaf73480b501 2280 ukui-screensaver_3.0.3.3-2.dsc 66e5420932cff3cca6fc2098c272924833f3442e 1475013 ukui-screensaver_3.0.3.3.orig.tar.gz 63f45913858ac992db2ac09bbf607f0e48a9445a 4640 ukui-screensaver_3.0.3.3-2.debian.tar.xz 6f61c3bfb796000fd237cc256858fa9a003cbb85 22742 ukui-screensaver_3.0.3.3-2_source.buildinfo Checksums-Sha256: 00e50dd9c19468515709093f7e8f55b73c5c88ea7a3585146f9a26c6d77efa42 2280 ukui-screensaver_3.0.3.3-2.dsc db7a349dc9bb12b287bb7c1a1007e6480117dc90c5910a48ddf026c74beaa60d 1475013 ukui-screensaver_3.0.3.3.orig.tar.gz f38fd2840a154cb4601498e6cbf24cb6277dd33788e342edc9742116cc1835a2 4640 ukui-screensaver_3.0.3.3-2.debian.tar.xz 894dcfc5ee0cd1ab03cb18724de78b30df412aec315aea96dd8acb3f8c580f5d 22742 ukui-screensaver_3.0.3.3-2_source.buildinfo Files: 32bdc4895f155c161cec5ed99ce26af9 2280 x11 optional ukui-screensaver_3.0.3.3-2.dsc 7ff77014490e1319f87023c3df1797c7 1475013 x11 optional ukui-screensaver_3.0.3.3.orig.tar.gz ff198a3b711180a8149383d6e557ff79 4640 x11 optional ukui-screensaver_3.0.3.3-2.debian.tar.xz a55219db7d03e5b9b31ba1da1c72350a 22742 x11 optional ukui-screensaver_3.0.3.3-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJPBAEBCAA5FiEEhsgAHpUwnacZWWSCm7hQwBMRHwwFAmZQTlEbHGppYW5mZW5n bGlAdWJ1bnR1a3lsaW4uY29tAAoJEJu4UMATER8M7g8P/3INhEWukGlePf2IIUdZ g7oGpis9i4njrB8SdbXxodNmB2wWKV6+ouVOfnh/FIXFkK2TKRBzwpzsYJayOOgW FT2orJNnkRL8DQZaQpoOBGhifjNrYrLok4BBzWmZyqGDsnxXYU1nr9Iuypk2t7Xd ZjBG22ViCimrN/JJLLzlrvReyghyUdttp5sDwfqxYGn6yb2j3K0ksVl7HozSvzb2 zV5KLaT8fnozUBreMmaIhBswOIYnEc38P4T7I/ls2W7bxlxUEUCHif7S1ktea4EV D5gMqdCl3zT14q5e4PT/utAAAzcnX9cDjic1wizijQatA6AzkSglIBvb5M2H1xzY D1IVdsYHcMl6n3UiuCw6sCEyIgkWv1z2ZnVH8r6i3yQkiPrVrxYpL+Tbk6PWkGrv 8QuPYPGvuR3QLHIvkYXaukov4ptbwE4mmYnCEfJXBR6066SD2hWPFK/oPmAzY0Fa kB1Lan6VEyOHCiJTGiR2iVGxbb3QyVPsjlbl9HCpVmxtzVHgjau2C+XpmhTgzCCf 4uX3D/y0xVTRffob8YzK3P52jO2FMDreqVD5D4yUylivf0zQCCs5VC0H7HHqBX+2 fm7wsWcdVX5SrP9RXWlocE1UQgN3VoNAVR5ODMKK6lfPz6dx7RXFulXiFSfQ3Cs4 i1QZxFtyJWBi8fQyg8fzNw22 =CCrN -----END PGP SIGNATURE-----
Description: PGP signature
--- End Message ---
