Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 160132 - x11-misc/adesklets: Insecure usage of files in /tmp.
Summary: x11-misc/adesklets: Insecure usage of files in /tmp.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-04 15:58 UTC by Vic Fryzel (shellsage) (RETIRED)
Modified: 2007-02-10 20:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-01-04 15:58:11 UTC 
The x11-misc/adesklets specifies a location in /tmp for log storage.  An attacker could create the file /tmp/adesklets_log.pid* as a symlink to arbitrary files on the system, and possibly overwrite those files, upon adesklets filing a log entry. The ebuild should specify a log location that is not in a world accessible directory.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 12:58:08 UTC 
s4t4n please advise.
Comment 2 Michele Noberasco (RETIRED) gentoo-dev 2007-01-07 08:21:29 UTC 
Well, adesklets runs with the privileges of the user who launched it, so this would be an issue only if that user is root (silly thing)...
Also, this log file gets created only if debug is in USE.
Anyway, I just committed to Portage a small change to the ebuilds so that log files are created in user home directories instead of /tmp; methinks it should be enough.
Comment 3 Michele Noberasco (RETIRED) gentoo-dev 2007-01-24 08:51:21 UTC 
No feedback, closing. Feel free to reopen if necessary...
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 20:56:17 UTC 
(In reply to comment #3)
> No feedback, closing. Feel free to reopen if necessary...
> 


I agree. "INVALID" would even be appropriate.