Bug 436260

Summary: CVE-2007-6061: insecure tmpfile handling
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: audacityAssignee: GĂ©rard Milmeister <gemi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: bressers, bugs.michael, huzaifas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-13 21:06:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 393251    
Attachments:
Description Flags
proposed patch none

Description Hans de Goede 2008-03-06 08:09:03 UTC 
Description of problem:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.

A local attacker could exploit this vulnerability to conduct symlink attacks to
delete arbitrary files and directories with the privileges of the user running
Audacity.

Here is a patch from gentoo fixing this:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-sound/audacity/files/CVE-2007-6061.patch?rev=1.1
Comment 1 Michael Schwendt 2008-03-06 10:13:44 UTC 
Note the date of the CVE.

Also known upstream and came up again just recently:
http://sourceforge.net/mailarchive/forum.php?thread_name=733f2c730803040303o679d28eeg224689218544d232%40mail.gmail.com&forum_name=audacity-devel

Users with security concerns can set a different tmp path in
the Audacity preferences.

The Gentoo patch (linked by me on audacity-devel yesterday) is
controversial for several reasons.
Comment 2 Tomas Hoger 2008-03-06 13:31:31 UTC 
Already tracked via bug #393251
Comment 3 Lubomir Kundrak 2008-04-08 20:00:33 UTC 
Final Freeze is in effect now. Security fixes almost certainly warrant a freeze
break, so in case you build a fix for this, mail release engineering as
described here: [2]

[1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html
[2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy

Thanks!
Comment 4 Huzaifa S. Sidhpurwala 2008-05-02 03:29:28 UTC 
Any idea when this will be fixed in fedora?
Comment 5 Michael Schwendt 2008-05-02 15:54:34 UTC 
Created attachment 304395 [details]
proposed patch

Would this be sufficient?
Comment 6 Michael Schwendt 2008-05-03 07:05:15 UTC 
Upstream accepted this patch.
Comment 7 Tomas Hoger 2008-05-09 06:19:04 UTC 
Fixed in upstream 1.3.5:

http://audacity.sourceforge.net/download/features-1.3-a

Security

  * Full fix for issue CVE-2007-6061 on systems where temporary directories can be
    changed by other users (thanks to Michael Schwendt).