A Debian bug report [1],[2] indicated that conky is vulnerable to an arbitrary file overwrite flaw. In the getSkillname() function of the Eve plugin, there is a race condition between when the plugin checks for the existence of /tmp/.cesf and when it writes to the file, easily beaten because getXmlFromAPI() is called in between (which can take time due to network latency, etc.). If a user were able to beat the race and create a symlink of /tmp/.cesf to any file the user running conky had write access to, they could overwrite the contents of that file. In src/eve.c we have: 275 static char *getSkillname(const char *file, int skillid) 276 { ... 283 if (!file_exists(file)) { 284 skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); 285 writeSkilltree(skilltree, file); 286 free(skilltree); 287 } ... 337 static char *eve(char *userid, char *apikey, char *charid) 338 { 339 Character *chr = NULL; 340 const char *skillfile = "/tmp/.cesf"; ... 400 skill = getSkillname(skillfile, chr->skill); The Debian bug report has a propsed patch [3]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033 [2] https://bugs.launchpad.net/ubuntu/+source/conky/+bug/607309 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033#10
Created conky tracking bugs for this issue Affects: fedora-all [bug 676368]
Fedora conky packages are compiled without eve support.
Ah, yes, it is. Sorry about that. ./configure is missing --with-eve indeed. Thanks, I'll close the bugs.
The CVE identifier of CVE-2011-3616 has been assigned: [4] http://www.openwall.com/lists/oss-security/2011/10/10/8 to this issue.
Relevant upstream patches: [5] http://git.omp.am/?p=conky.git;a=commitdiff;h=ac4a3682aecb9d6466fea4aebb183b5f8f632905 [6] http://git.omp.am/?p=conky.git;a=commitdiff;h=70b6f35a846f7b85bd11e66c1f23feee6b369688