Bug 892299

Summary: CVE-2013-0159 predictable file name used in /tmp to generate pdf output [fedora-all]
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: fedora-business-cardsAssignee: Ian Weller <ian>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: security-response-team
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-09 07:58:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 892815    
Description Flags
use a proper temporary random filename, and clean file after none

Description Michael S. 2013-01-06 12:56:14 UTC
Created attachment 673347 [details]
use a proper temporary random filename, and clean file after

fedora-business-cards use a temporary file named /tmp/fedora-business-cards-buffer.svg. 

Since /tmp is world writable, anyone could either block the script with a suitable file ( ie, the same filename, with restrictive permission ), or using symlink, could overwrite one of the file of someone else running the script ( ln -s ~yourlogin/.ssh/id_rsa.pub /tmp/fedora-business-cards-buffer.svg )

( for the record, the last case should be blocked on Linux with 3.6 and fs.protected_symlinks turned on ). 

Here is a patch that should fix the issue against latest HEAD.

No CVE have been assigned so far, and AFAIK, packager is also upstream developer.

Comment 1 Ian Weller 2013-01-06 20:59:15 UTC
Ugh, did you really have to make this private?

I'll put this on the list of things to do for the next release that I've been working off and on for about two years now.

Comment 2 Michael S. 2013-01-06 21:19:35 UTC
Sorry if that caused trouble, I prefer to be on the safe side since I do not know where fedora-business-cards is used. I think I can lift the restriction later if you prefer once that's patched and corrected. 

There is nothing secret or private per se, and I am all for being public as much as possible.

Comment 3 Vincent Danen 2013-01-07 22:18:30 UTC
Thanks for this report.  I've made this bug public and filed bug #892815  as a top-level security bug (CVE-2013-0159).

Comment 4 Ian Weller 2013-01-07 22:36:25 UTC
Thanks, Vincent.

I'll see about getting this fixed in the 0.3.x branch and pushing a release for that ASAP.

Comment 5 Ian Weller 2013-01-07 22:38:04 UTC
Actually I'm going to go ahead and apply this patch to f-b-c in the releases I can apply it to, and then push it out.

Thanks for the patch, Michael.

Comment 6 Ian Weller 2013-01-07 23:36:37 UTC
Hey Michael,

I ended up having to modify your patch just a bit -- svg_to_file() does still need a filename argument for exporting directly to SVG.


With this patch, is there any security issue? As far as I can tell, the only time this is called with a filename is with the argument "front.svg" or "back.svg".

Comment 7 Michael S. 2013-01-08 00:05:10 UTC
I do not see any obvious problem, as long as no one use a filename in /tmp as 2nd argument.

Comment 9 Ian Weller 2013-05-16 20:06:34 UTC
Security team,

This bug still isn't marked as public. Can I get that fixed?

Comment 10 Tomas Hoger 2013-05-17 07:50:28 UTC
(In reply to comment #9)
> This bug still isn't marked as public. Can I get that fixed?


Comment 11 Ian Weller 2013-09-09 07:58:38 UTC
Version 1 beta 1 is in F19 now.

Comment 12 Tomas Hoger 2013-09-09 08:06:33 UTC
F18 update is still in testing:


which got a complaint a while ago:

patches (proventesters) - 2013-08-04 03:15:11
This *security* update has been in updates-testing for over a month! Please push it stable or remove it if it is obsolete.

Comment 13 Ian Weller 2013-09-09 15:39:35 UTC
Requested stable.