Bug 892299 - CVE-2013-0159 predictable file name used in /tmp to generate pdf output [fedora-all]
Summary: CVE-2013-0159 predictable file name used in /tmp to generate pdf output [fedo...
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-business-cards
Version: 18
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Ian Weller
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: CVE-2013-0159
TreeView+ depends on / blocked
Reported: 2013-01-06 12:56 UTC by Michael S.
Modified: 2013-09-09 15:39 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Last Closed: 2013-09-09 07:58:38 UTC
Type: Bug

Attachments (Terms of Use)
use a proper temporary random filename, and clean file after (3.62 KB, patch)
2013-01-06 12:56 UTC, Michael S.
no flags Details | Diff

Description Michael S. 2013-01-06 12:56:14 UTC
Created attachment 673347 [details]
use a proper temporary random filename, and clean file after

fedora-business-cards use a temporary file named /tmp/fedora-business-cards-buffer.svg. 

Since /tmp is world writable, anyone could either block the script with a suitable file ( ie, the same filename, with restrictive permission ), or using symlink, could overwrite one of the file of someone else running the script ( ln -s ~yourlogin/.ssh/id_rsa.pub /tmp/fedora-business-cards-buffer.svg )

( for the record, the last case should be blocked on Linux with 3.6 and fs.protected_symlinks turned on ). 

Here is a patch that should fix the issue against latest HEAD.

No CVE have been assigned so far, and AFAIK, packager is also upstream developer.

Comment 1 Ian Weller 2013-01-06 20:59:15 UTC
Ugh, did you really have to make this private?

I'll put this on the list of things to do for the next release that I've been working off and on for about two years now.

Comment 2 Michael S. 2013-01-06 21:19:35 UTC
Sorry if that caused trouble, I prefer to be on the safe side since I do not know where fedora-business-cards is used. I think I can lift the restriction later if you prefer once that's patched and corrected. 

There is nothing secret or private per se, and I am all for being public as much as possible.

Comment 3 Vincent Danen 2013-01-07 22:18:30 UTC
Thanks for this report.  I've made this bug public and filed bug #892815  as a top-level security bug (CVE-2013-0159).

Comment 4 Ian Weller 2013-01-07 22:36:25 UTC
Thanks, Vincent.

I'll see about getting this fixed in the 0.3.x branch and pushing a release for that ASAP.

Comment 5 Ian Weller 2013-01-07 22:38:04 UTC
Actually I'm going to go ahead and apply this patch to f-b-c in the releases I can apply it to, and then push it out.

Thanks for the patch, Michael.

Comment 6 Ian Weller 2013-01-07 23:36:37 UTC
Hey Michael,

I ended up having to modify your patch just a bit -- svg_to_file() does still need a filename argument for exporting directly to SVG.


With this patch, is there any security issue? As far as I can tell, the only time this is called with a filename is with the argument "front.svg" or "back.svg".

Comment 7 Michael S. 2013-01-08 00:05:10 UTC
I do not see any obvious problem, as long as no one use a filename in /tmp as 2nd argument.

Comment 9 Ian Weller 2013-05-16 20:06:34 UTC
Security team,

This bug still isn't marked as public. Can I get that fixed?

Comment 10 Tomas Hoger 2013-05-17 07:50:28 UTC
(In reply to comment #9)
> This bug still isn't marked as public. Can I get that fixed?


Comment 11 Ian Weller 2013-09-09 07:58:38 UTC
Version 1 beta 1 is in F19 now.

Comment 12 Tomas Hoger 2013-09-09 08:06:33 UTC
F18 update is still in testing:


which got a complaint a while ago:

patches (proventesters) - 2013-08-04 03:15:11
This *security* update has been in updates-testing for over a month! Please push it stable or remove it if it is obsolete.

Comment 13 Ian Weller 2013-09-09 15:39:35 UTC
Requested stable.

Note You need to log in before you can comment on or make changes to this bug.