https://bugs.kde.org/show_bug.cgi?id=519912
Bug ID: 519912
Summary: hardcoded filenames in tempfile locations
Classification: Applications
Product: kamoso
Version First 26.04.1
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
In `src/video/webcamcontrol.cpp`, the `takePhoto` method uses a hardcoded
temporary file path when the destination URL is not a local file:
```cpp
const QString path = url.isLocalFile() ? url.toLocalFile() :
QStandardPaths::writableLocation(QStandardPaths::TempLocation) +
u"/kamoso_photo.jpg";
```
On most Linux systems, `QStandardPaths::TempLocation` points to `/tmp`. A
local attacker can create a symbolic link at `/tmp/kamoso_photo.jpg` pointing
to a sensitive file owned by the victim (e.g., `~/.bashrc` or `~/.ssh/id_rsa`).
When the victim takes a photo and has configured a remote save location, Kamoso
will overwrite the target file with image data.
2. **Predictable Temporary Video File in `WebcamControl::startRecording`**:
The `temporaryVideoFile()` function generates a predictable filename in
`/tmp` with only 1-second resolution:
```cpp
static QString temporaryVideoFile()
{
QString date =
QDateTime::currentDateTime().toString(u"ddmmyyyy_hhmmss");
return QDir::tempPath() + QStringLiteral("/kamoso_%1.mkv").arg(date);
}
```
This predictability allows an attacker to pre-create symlinks for future
timestamps, leading to the same file overwriting vulnerability described above.
3. **Privacy Leak**:
The temporary file `/tmp/kamoso_photo.jpg` is not deleted after being
copied to its remote destination, leaving a copy of the captured photo in a
world-readable directory.
--
You are receiving this mail because:
You are watching all bug changes.
