Description of problem: aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC. If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3). A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE. Version-Release number of selected component (if applicable): arts-1.5.10-26.fc22.x86_64 kdelibs3-3.5.10-68.fc22.x86_64 (I believe all versions of Fedora are affected, as well as RHEL 5 and 6) Steps to Reproduce: (Warning: Do NOT try this during a KDE session!) 0. KSOCKETDIR=/tmp/ksocket-`id -un` 1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0') 2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER] 3. artsd -l 0 -a alsa OR: kdeinit OR: lnusertemp socket Actual results: A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME. Expected results: mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3). Additional info: This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself. However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes. The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c): https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c
Created kdelibs3 tracking bugs for this issue: Affects: fedora-all [bug 1289235] Affects: epel-7 [bug 1289236]
Created arts tracking bugs for this issue: Affects: fedora-all [bug 1289237] Affects: epel-7 [bug 1289238]
Yes, that patch (fairly trivial at that) should fix it, let's apply it ASAP.
For the sake of public disclosure, TDE arts and tdelibs, being forks of the above (and unchanged wrt this particular code), are similarly affected. Neither are currently in Fedora. I have filed this with upstream TDE: https://bugs.trinitydesktop.org/show_bug.cgi?id=2556
For anybody reading this, the WONTFIX is only for RHEL, I am fixing this in Fedora, see the Fedora trackers (arts: bug #1289237, kdelibs3: bug #1289235). arts fix: http://pkgs.fedoraproject.org/cgit/arts.git/plain/arts-1.5.10-CVE-2015-7543.patch kdelibs3 fix: http://pkgs.fedoraproject.org/cgit/kdelibs3.git/plain/kdelibs-3.5.10-CVE-2015-7543.patch
kdelibs3-3.5.10-71.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
arts-1.5.10-30.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-71.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
arts-1.5.10-30.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.