CVE-2023-43782 (https://bugzilla.suse.com/show_bug.cgi?id=1213983): Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cadence. CVE-2023-43783 (https://bugzilla.suse.com/show_bug.cgi?id=1213985): Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrite files via a symlink attack. In some kernel configurations, code injection into the Wine registry is possible. These will seemingly be unfixed upstream, based on Matthias's interactions with upstream (at $URL): 2023-08-04: I contacted the Cadence upstream author and reported the two vulnerabilities, offering coordinated disclosure. I quickly received a reply from the author stating that Cadence should no longer be used and that he intends to archive the project at some point. 2023-08-07: I replied that the tmp file issues aren't hard to fix and a maintenance-only release that also makes packagers aware of the need to move away from Cadence would be helpful. 2023-08-21: I received no more replies from the upstream author. Instead I found the GitHub repository archived in the meantime. Therefore I decided to provide custom patches for the openSUSE package. 2023-09-06: I requested CVE IDs from Mitre for the issues. I also published the information about the issues in our Bugzilla bug tracker. openSUSE's patches also at URL.
As the original developer (falktx) abandoned the project, and as Cadence suite is closely related to jackdbus, a2jmidid and ladish, all developed as part of the LADI project, I took initiative to maintain Cadence upstream in the LADI project too. In August 2023, Libera.chat IRC, #lad, I notified the original developer about the adoption in LADI project after he told me about the abandonment. In particular, the CVE fixing patches are now applied. The version is currently at 1.9.3. https://gitea.ladish.org/LADI/cadence I'll do ebuilds for 1.9.3 and later anyway and can contribute them to Gentoo.
Tarballs: https://dl.ladish.org/cadence/ladi-cadence-1.9.4.tar.xz https://dl.ladish.org/cadence/ladi-cadence-1.9.4.tar.xz.sig == ladi-cadence-1.9.4: January 11, 55 (2024) * Add NEWS.adoc file * Add AUTHORS.adoc file * Add MAINTAINERS.adoc file * Remove vendored unzipfx code along with data/windows/ * Adjust README.md ("is being developed by falktx" => "was developed by falktx") * Makefile: Add dist target for tarball creation and gpg-signing == ladi-cadence-1.9.3: January 7, 55 (2024) * Switch default for /org/ladish/daemon/terminal to xterm (so to match ladish codebase defaults) Bug: https://github.com/falkTX/Cadence/issues/361 * First LADI release, after falktx abandoned and archived the codebase * README.md: Add info about new maintainer (LADI project, Nedko Arnaudov) * Apply CVEs patches from SuSE, by Matthias Gerstner: ** Patch CVE-2023-43782: Use of Fixed Temporary File Path in /tmp/.cadence-aloop-daemon.x ** Patch CVE-2023-43783: Use of Fixed Temporary File Path in /tmp/cadence-wineasio.reg
