Bug ID 1225509
Summary AUDIT-FIND: 4Pane: predictable /tmp path in PreviewPopup::DisplayImage
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

4Pane uses predictable /tmp paths in PreviewPopup::DisplayImage()

> 2054     pngfilepath = "/tmp/" + fn.GetName() + ".png";
> 2055     if (SvgToPng(filepath, pngfilepath, handle))
> 2056       image = wxImage(pngfilepath);
> 2057     wxRemoveFile(pngfilepath);

If fs.protected_symlinks=1, an unprivileged user can prevent 4Pane from
displaying previews for SVG images.
If fs.protected_symlinks=0, an unprivileged user can overwrite arbitrary
world-readable files owned by the 4Pane user.

Steps to reproduce:

nobody@localhost:/tmp> ln -s /home/user/somefile foo.png
# ... wait until the user previews a file named foo.svg
# somefile will be overwritten

An attacker can pre-create symlinks for the names of all existing SVG files on
the system to increase the likelihood of triggering the bug.

You are receiving this mail because: