[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#919489: marked as done (inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR))

Your message dated Wed, 29 Jan 2020 12:19:16 +0100
with message-id <20200129111916.GA427860@mapreri.org>
and subject line Re: Bug#919489: inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR)
has caused the Debian Bug report #919489,
regarding inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
919489: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919489
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: inkscape
Version: 0.92.3-7+b1
Severity: normal

when i use "File»Import Clip Art…", inkscape creates the following
tree of directories with fixed names:

0 dkg@alice:~$ find $TMPDIR/openclipart -ls
  3043836      0 drwxr-xr-x   4 dkg      dkg            80 Jan 16 10:33 /home/dkg/tmp/openclipart
  3043838      0 drwxr-xr-x   2 dkg      dkg            40 Jan 16 10:33 /home/dkg/tmp/openclipart/images
  3043837      0 drwxr-xr-x   2 dkg      dkg            40 Jan 16 10:33 /home/dkg/tmp/openclipart/thumbnails
0 dkg@alice:~$ 


if  $TMPDIR is unset, this happens in the globally-fixed name /tmp/openclipart

I've tried having one user account ("attacker") create
/tmp/openclipart as a symlink to somewhere inside another user
("victim")'s home directory.  when the victim user opens inkscape and
chooses "File»Import Clip Art…" it creates the arbitrarily-named
directories "images" and "thumbnails" on their behalf.

This abuse of fixed names in /tmp is a security issue.

     --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages inkscape depends on:
ii  libaspell15            0.60.7~20110707-5
ii  libatk1.0-0            2.30.0-2
ii  libatkmm-1.6-1v5       2.28.0-2
ii  libc6                  2.28-5
ii  libcairo2              1.16.0-2
ii  libcairomm-1.0-1v5     1.12.2-4
ii  libcdr-0.1-1           0.1.5-1
ii  libdbus-1-3            1.12.12-1
ii  libdbus-glib-1-2       0.110-3
ii  libfontconfig1         2.13.1-2
ii  libfreetype6           2.9.1-3
ii  libgc1c2               1:7.6.4-0.4
ii  libgcc1                1:8.2.0-14
ii  libgdk-pixbuf2.0-0     2.38.0+dfsg-7
ii  libglib2.0-0           2.58.2-3
ii  libglibmm-2.4-1v5      2.58.0-2
ii  libgomp1               8.2.0-14
ii  libgsl23               2.5+dfsg-6
ii  libgslcblas0           2.5+dfsg-6
ii  libgtk2.0-0            2.24.32-3
ii  libgtkmm-2.4-1v5       1:2.24.5-2
ii  libgtkspell0           2.0.16-1.2
ii  libjpeg62-turbo        1:1.5.2-2+b1
ii  liblcms2-2             2.9-3
ii  libmagick++-6.q16-8    8:6.9.10.23+dfsg-2
ii  libmagickcore-6.q16-6  8:6.9.10.23+dfsg-2
ii  libmagickwand-6.q16-6  8:6.9.10.23+dfsg-2
ii  libpango-1.0-0         1.42.4-6
ii  libpangocairo-1.0-0    1.42.4-6
ii  libpangoft2-1.0-0      1.42.4-6
ii  libpangomm-1.4-1v5     2.42.0-2
ii  libpng16-16            1.6.36-2
ii  libpoppler-glib8       0.71.0-2
ii  libpoppler82           0.71.0-2
ii  libpopt0               1.16-11
ii  libpotrace0            1.15-1
ii  librevenge-0.0-0       0.0.4-6
ii  libsigc++-2.0-0v5      2.10.1-2
ii  libstdc++6             8.2.0-14
ii  libvisio-0.1-1         0.1.6-1+b2
ii  libwpg-0.3-3           0.3.3-1
ii  libx11-6               2:1.6.7-1
ii  libxml2                2.9.4+dfsg1-7+b3
ii  libxslt1.1             1.1.32-2
ii  python                 2.7.15-3
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages inkscape recommends:
ii  aspell                           0.60.7~20110707-5
ii  fig2dev [transfig]               1:3.2.7a-3
ii  imagemagick                      8:6.9.10.23+dfsg-2
ii  imagemagick-6.q16 [imagemagick]  8:6.9.10.23+dfsg-2
pn  libimage-magick-perl             <none>
pn  libwmf-bin                       <none>
ii  python-lxml                      4.2.5-1
ii  python-numpy                     1:1.16.0~rc2-2
pn  python-scour                     <none>

Versions of packages inkscape suggests:
ii  dia                  0.97.3+git20160930-8.1
ii  inkscape-tutorials   0.92.3-7
pn  libsvg-perl          <none>
pn  libxml-xql-perl      <none>
pn  pstoedit             <none>
pn  python-uniconvertor  <none>
ii  ruby                 1:2.5.1

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.0_beta2-1

On Tue, Jan 22, 2019 at 03:43:42PM +0100, Mattia Rizzolo wrote:
> Control: forwarded -1 https://bugs.launchpad.net/inkscape/+bug/1812862
> Control: tags -1 upstream
> 
> On Wed, Jan 16, 2019 at 10:45:59AM -0500, Daniel Kahn Gillmor wrote:
> > This abuse of fixed names in /tmp is a security issue.
> 
> Forwarded upstream, thank you.

The whole clip part thing has been removed in this version, so I'm
closing this bug.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: