Bug ID | 1225509 |
---|---|
Summary | AUDIT-FIND: 4Pane: predictable /tmp path in PreviewPopup::DisplayImage |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | wolfgang.frisch@suse.com |
QA Contact | qa-bugs@suse.de |
Target Milestone | --- |
Found By | --- |
Blocker | --- |
4Pane uses predictable /tmp paths in PreviewPopup::DisplayImage()
> 2054 pngfilepath = "/tmp/" + fn.GetName() + ".png";
> 2055 if (SvgToPng(filepath, pngfilepath, handle))
> 2056 image = wxImage(pngfilepath);
> 2057 wxRemoveFile(pngfilepath);
If fs.protected_symlinks=1, an unprivileged user can prevent 4Pane from
displaying previews for SVG images.
If fs.protected_symlinks=0, an unprivileged user can overwrite arbitrary
world-readable files owned by the 4Pane user.
Steps to reproduce:
nobody@localhost:/tmp> ln -s /home/user/somefile foo.png
# ... wait until the user previews a file named foo.svg
# somefile will be overwritten
An attacker can pre-create symlinks for the names of all existing SVG files on
the system to increase the likelihood of triggering the bug.