Bug 436260 - CVE-2007-6061: insecure tmpfile handling
CVE-2007-6061: insecure tmpfile handling
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: audacity (Show other bugs)
rawhide
All Linux
high Severity medium
: ---
: ---
Assigned To: Gérard Milmeister
Fedora Extras Quality Assurance
http://www.cve.mitre.org/cgi-bin/cven...
: Security
Depends On:
Blocks: CVE-2007-6061
  Show dependency treegraph
 
Reported: 2008-03-06 03:09 EST by Hans de Goede
Modified: 2008-05-13 17:06 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-13 17:06:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (1.22 KB, patch)
2008-05-02 11:54 EDT, Michael Schwendt
no flags Details | Diff

  None (edit)
Description Hans de Goede 2008-03-06 03:09:03 EST
Description of problem:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.

A local attacker could exploit this vulnerability to conduct symlink attacks to
delete arbitrary files and directories with the privileges of the user running
Audacity.

Here is a patch from gentoo fixing this:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-sound/audacity/files/CVE-2007-6061.patch?rev=1.1
Comment 1 Michael Schwendt 2008-03-06 05:13:44 EST
Note the date of the CVE.

Also known upstream and came up again just recently:
http://sourceforge.net/mailarchive/forum.php?thread_name=733f2c730803040303o679d28eeg224689218544d232%40mail.gmail.com&forum_name=audacity-devel

Users with security concerns can set a different tmp path in
the Audacity preferences.

The Gentoo patch (linked by me on audacity-devel yesterday) is
controversial for several reasons.
Comment 2 Tomas Hoger 2008-03-06 08:31:31 EST
Already tracked via bug #393251
Comment 3 Lubomir Kundrak 2008-04-08 16:00:33 EDT
Final Freeze is in effect now. Security fixes almost certainly warrant a freeze
break, so in case you build a fix for this, mail release engineering as
described here: [2]

[1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html
[2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy

Thanks!
Comment 4 Huzaifa S. Sidhpurwala 2008-05-01 23:29:28 EDT
Any idea when this will be fixed in fedora?
Comment 5 Michael Schwendt 2008-05-02 11:54:34 EDT
Created attachment 304395 [details]
proposed patch

Would this be sufficient?
Comment 6 Michael Schwendt 2008-05-03 03:05:15 EDT
Upstream accepted this patch.
Comment 7 Tomas Hoger 2008-05-09 02:19:04 EDT
Fixed in upstream 1.3.5:

http://audacity.sourceforge.net/download/features-1.3-a

Security

  * Full fix for issue CVE-2007-6061 on systems where temporary directories can be
    changed by other users (thanks to Michael Schwendt).


Note You need to log in before you can comment on or make changes to this bug.