https://bugzilla.suse.com/show_bug.cgi?id=1225509 Bug ID: 1225509 Summary: AUDIT-FIND: 4Pane: predictable /tmp path in PreviewPopup::DisplayImage Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- 4Pane uses predictable /tmp paths in PreviewPopup::DisplayImage()
2054 pngfilepath = "/tmp/" + fn.GetName() + ".png"; 2055 if (SvgToPng(filepath, pngfilepath, handle)) 2056 image = wxImage(pngfilepath); 2057 wxRemoveFile(pngfilepath);
If fs.protected_symlinks=1, an unprivileged user can prevent 4Pane from displaying previews for SVG images. If fs.protected_symlinks=0, an unprivileged user can overwrite arbitrary world-readable files owned by the 4Pane user. Steps to reproduce: nobody@localhost:/tmp> ln -s /home/user/somefile foo.png # ... wait until the user previews a file named foo.svg # somefile will be overwritten An attacker can pre-create symlinks for the names of all existing SVG files on the system to increase the likelihood of triggering the bug. -- You are receiving this mail because: You are on the CC list for the bug.