Your message dated Wed, 29 Jan 2020 12:19:16 +0100 with message-id <20200129111916.GA427860@mapreri.org> and subject line Re: Bug#919489: inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR) has caused the Debian Bug report #919489, regarding inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 919489: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919489 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR)
- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Wed, 16 Jan 2019 10:45:59 -0500
- Message-id: <154765355914.1967.9131547528175060173.reportbug@alice.fifthhorseman.net>
Package: inkscape Version: 0.92.3-7+b1 Severity: normal when i use "File»Import Clip Art…", inkscape creates the following tree of directories with fixed names: 0 dkg@alice:~$ find $TMPDIR/openclipart -ls 3043836 0 drwxr-xr-x 4 dkg dkg 80 Jan 16 10:33 /home/dkg/tmp/openclipart 3043838 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33 /home/dkg/tmp/openclipart/images 3043837 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33 /home/dkg/tmp/openclipart/thumbnails 0 dkg@alice:~$ if $TMPDIR is unset, this happens in the globally-fixed name /tmp/openclipart I've tried having one user account ("attacker") create /tmp/openclipart as a symlink to somewhere inside another user ("victim")'s home directory. when the victim user opens inkscape and chooses "File»Import Clip Art…" it creates the arbitrarily-named directories "images" and "thumbnails" on their behalf. This abuse of fixed names in /tmp is a security issue. --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages inkscape depends on: ii libaspell15 0.60.7~20110707-5 ii libatk1.0-0 2.30.0-2 ii libatkmm-1.6-1v5 2.28.0-2 ii libc6 2.28-5 ii libcairo2 1.16.0-2 ii libcairomm-1.0-1v5 1.12.2-4 ii libcdr-0.1-1 0.1.5-1 ii libdbus-1-3 1.12.12-1 ii libdbus-glib-1-2 0.110-3 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3 ii libgc1c2 1:7.6.4-0.4 ii libgcc1 1:8.2.0-14 ii libgdk-pixbuf2.0-0 2.38.0+dfsg-7 ii libglib2.0-0 2.58.2-3 ii libglibmm-2.4-1v5 2.58.0-2 ii libgomp1 8.2.0-14 ii libgsl23 2.5+dfsg-6 ii libgslcblas0 2.5+dfsg-6 ii libgtk2.0-0 2.24.32-3 ii libgtkmm-2.4-1v5 1:2.24.5-2 ii libgtkspell0 2.0.16-1.2 ii libjpeg62-turbo 1:1.5.2-2+b1 ii liblcms2-2 2.9-3 ii libmagick++-6.q16-8 8:6.9.10.23+dfsg-2 ii libmagickcore-6.q16-6 8:6.9.10.23+dfsg-2 ii libmagickwand-6.q16-6 8:6.9.10.23+dfsg-2 ii libpango-1.0-0 1.42.4-6 ii libpangocairo-1.0-0 1.42.4-6 ii libpangoft2-1.0-0 1.42.4-6 ii libpangomm-1.4-1v5 2.42.0-2 ii libpng16-16 1.6.36-2 ii libpoppler-glib8 0.71.0-2 ii libpoppler82 0.71.0-2 ii libpopt0 1.16-11 ii libpotrace0 1.15-1 ii librevenge-0.0-0 0.0.4-6 ii libsigc++-2.0-0v5 2.10.1-2 ii libstdc++6 8.2.0-14 ii libvisio-0.1-1 0.1.6-1+b2 ii libwpg-0.3-3 0.3.3-1 ii libx11-6 2:1.6.7-1 ii libxml2 2.9.4+dfsg1-7+b3 ii libxslt1.1 1.1.32-2 ii python 2.7.15-3 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages inkscape recommends: ii aspell 0.60.7~20110707-5 ii fig2dev [transfig] 1:3.2.7a-3 ii imagemagick 8:6.9.10.23+dfsg-2 ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2 pn libimage-magick-perl <none> pn libwmf-bin <none> ii python-lxml 4.2.5-1 ii python-numpy 1:1.16.0~rc2-2 pn python-scour <none> Versions of packages inkscape suggests: ii dia 0.97.3+git20160930-8.1 ii inkscape-tutorials 0.92.3-7 pn libsvg-perl <none> pn libxml-xql-perl <none> pn pstoedit <none> pn python-uniconvertor <none> ii ruby 1:2.5.1 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 919489-close@bugs.debian.org
- Subject: Re: Bug#919489: inkscape: trying to use "Import Clip Art" uses fixed names in /tmp (or $TMPDIR)
- From: Mattia Rizzolo <mattia@debian.org>
- Date: Wed, 29 Jan 2020 12:19:16 +0100
- Message-id: <20200129111916.GA427860@mapreri.org>
- In-reply-to: <20190122144341.GG28672@mapreri.org>
- References: <154765355914.1967.9131547528175060173.reportbug@alice.fifthhorseman.net> <154765355914.1967.9131547528175060173.reportbug@alice.fifthhorseman.net> <20190122144341.GG28672@mapreri.org>
Version: 1.0_beta2-1 On Tue, Jan 22, 2019 at 03:43:42PM +0100, Mattia Rizzolo wrote: > Control: forwarded -1 https://bugs.launchpad.net/inkscape/+bug/1812862 > Control: tags -1 upstream > > On Wed, Jan 16, 2019 at 10:45:59AM -0500, Daniel Kahn Gillmor wrote: > > This abuse of fixed names in /tmp is a security issue. > > Forwarded upstream, thank you. The whole clip part thing has been removed in this version, so I'm closing this bug. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-Attachment: signature.asc
Description: PGP signature
--- End Message ---