Description of problem: gnucash ignores env vars TMP TMPDIR TEMP TEMPDIR and happily opens with modes O_WRONLY|O_CREAT|O_TRUNC (forgets O_EXCL), allowing easy overwrite of gnucash user's files in case of many users on the same system or some evil program having access to /tmp. Version-Release number of selected component (if applicable): 2.0.4-1 How reproducible: always Steps to Reproduce: 1. start gnucash 2. 3. Actual results: 19621 17:56:45.850053 open("/tmp/gnucash.trace", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000034> 19621 17:56:45.850143 open("/tmp/qof.trace", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000028> 19621 17:56:45.850271 open("/tmp/qof.trace.19621", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 19 <0.000200> Expected results: using my temp dirs or flag O_EXCL to open(). Additional info:
I'm giving this CVE-2007-0007. Sami, do you mind if I share this information with the Vendor Security mailing list? It is a group of trusted vendors who would appreciate a notification of this flaw. Additionally do you have a date in mind to make this flaw public? If you don't care, I'd be happy to work one out with the other affected vendors. Thanks for the report.
You can do the CVE dance and share the info. You can work out the publication if you want to... but if you forget to do it, I do it on Feb 19 2007. If you need to use my email, safari-fedora.fi is for that purpose, let's use this bugzilla email for bugzilla.
This flaw is now public: http://secunia.com/advisories/24225/
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.