Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918096 (CVE-2023-43782, CVE-2023-43783) - media-sound/cadence: multiple vulnerabilities
Summary: media-sound/cadence: multiple vulnerabilities
Alias: CVE-2023-43782, CVE-2023-43783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream/ebuild]
Depends on:
Reported: 2023-11-23 18:16 UTC by John Helmert III
Modified: 2024-01-20 10:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 18:16:30 UTC
CVE-2023-43782 (

Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cadence.

CVE-2023-43783 (

Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrite files via a symlink attack. In some kernel configurations, code injection into the Wine registry is possible.

These will seemingly be unfixed upstream, based on Matthias's
interactions with upstream (at $URL):

2023-08-04: I contacted the Cadence upstream author and reported the two
            vulnerabilities, offering coordinated disclosure.
            I quickly received a reply from the author stating that Cadence
            should no longer be used and that he intends to archive the
            project at some point.
2023-08-07: I replied that the tmp file issues aren't hard to fix and a
            maintenance-only release that also makes packagers aware of the
            need to move away from Cadence would be helpful.
2023-08-21: I received no more replies from the upstream author. Instead I
            found the GitHub repository archived in the meantime. Therefore I
            decided to provide custom patches for the openSUSE package.
2023-09-06: I requested CVE IDs from Mitre for the issues. I also published
            the information about the issues in our Bugzilla bug tracker.

openSUSE's patches also at URL.
Comment 1 Nedko Arnaudov 2024-01-08 01:28:06 UTC
As the original developer (falktx) abandoned the project, and as Cadence suite is closely related to jackdbus, a2jmidid and ladish, all developed as part of the LADI project, I took initiative to maintain Cadence upstream in the LADI project too. In August 2023, IRC, #lad, I notified the original developer about the adoption in LADI project after he told me about the abandonment.

In particular, the CVE fixing patches are now applied. The version is currently at 1.9.3.

I'll do ebuilds for 1.9.3 and later anyway and can contribute them to Gentoo.
Comment 2 Nedko Arnaudov 2024-01-11 15:53:40 UTC

== ladi-cadence-1.9.4: January 11, 55 (2024)

 * Add NEWS.adoc file
 * Add AUTHORS.adoc file
 * Add MAINTAINERS.adoc file
 * Remove vendored unzipfx code along with data/windows/
 * Adjust ("is being developed by falktx" => "was developed by falktx")
 * Makefile: Add dist target for tarball creation and gpg-signing

== ladi-cadence-1.9.3: January 7, 55 (2024)

 * Switch default for /org/ladish/daemon/terminal to xterm (so to match ladish codebase defaults) Bug: 
 * First LADI release, after falktx abandoned and archived the codebase
 * Add info about new maintainer (LADI project, Nedko Arnaudov)
 * Apply CVEs patches from SuSE, by Matthias Gerstner:
 ** Patch CVE-2023-43782: Use of Fixed Temporary File Path in /tmp/.cadence-aloop-daemon.x
 ** Patch CVE-2023-43783: Use of Fixed Temporary File Path in /tmp/cadence-wineasio.reg