Ubuntu
budgie-extras package

Bug #2044373
Comment #13

Comment 13 for bug 2044373

Revision history for this message

fossfreedom (fossfreedom) wrote on 2023-12-06: Re: [Bug 2044373] Re: CVEs to resolve multi-user accessibility of multiple extras applets and applications

#13

Mark. 14th would be great

David

On Wed, 6 Dec 2023, 17:51 Mark Esler, <email address hidden> wrote:

> Thanks Nishit.
>
> David, can we set the CRD to December 14th?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2044373
>
> Title:
> CVEs to resolve multi-user accessibility of multiple extras applets
> and applications
>
> Status in budgie-extras package in Ubuntu:
> New
> Status in budgie-extras source package in Jammy:
> New
> Status in budgie-extras source package in Lunar:
> New
> Status in budgie-extras source package in Mantic:
> New
> Status in budgie-extras source package in Noble:
> New
>
> Bug description:
> Tracking bug report
>
> DRAFT TO BE COMPLETED
>
> [ Impact ]
>
> * The Ubuntu Budgie team have been notified of several issues that
> require CVE's to be assigned to the budgie-extras package in mantic.
> budgie-extras is specific to the budgie-desktop and is in the universe
> repo. No other flavours use this package.
>
> The recommendation from the opensuse security team is for one CVE per
> binary. The report details 4 potential CVEs. Analysis by the UB team
> have determined a further two CVEs are warranted since the issues
> identified apply to two further binaries.
>
> Thus a total of 6 CVEs.
>
> All the CVEs are based around a similar issue - usage of temporary
> files in /tmp which are easily guessable for a system with two or more
> users - one user could in theory craft temporary files that would
> impact another user of these budgie based binaries.
>
> [ Test Plan ]
>
> * Since this issue has now switched the stored location to user-space
> the test plan needs to:
> a) ensure the existing capabilities works as expected;
> b) verify that /tmp is NOT being used and that the transitory files are
> being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME
> are being used instead.
>
> Use the following notify script (save as ~/notifydir.sh and chmod +x
> ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
>
> #!/bin/bash
>
> monitor_path="$1"
>
> inotifywait -m "$monitor_path" -e create -e moved_to |
> while read path action file; do
> echo "The file '$file' appeared in directory '$path' via
> '$action'"
> ls -la "$path/$file"
> done
>
> i.e. in session 1 run ~/notifydir.sh /tmp
> in session 2 run ~/notifydir.sh $XDG_RUNTIME
> in session 3 run ~/notifydir.sh $HOME
>
> 1. From budgie desktop settings add one of the affected applets:
> budgie-takeabreak
> budgie-dropby
> budgie-clockworks
> budgie-weathershow
>
> 2a. For takeabreak enable a takeabreak action.
> 2b. For dropby, insert a USB stick and mount the stick
> 2c. For clockworks create another clock
> 2d. For weathershow - change to another location and open the popup to
> show the weather
> 3.
> For all of the above examine the tilix sessions. Session 1 should not
> show temporary files being written in /tmp. Note you will see other
> temporary files for the operating system in general but that should be
> expected
>
> Session 2 for UB should show files being written.
>
> Session 3 for UB should not show any screenshot files being written.
> This is as expected because UB should not normally use the fallback folder.
> 4. Repeat for the other applets
> 5. Repeat but enable budgie window previews by the menu application
> (search for previews)
> 6. Repeat but enable budgie window shuffler by the menu application
> (search for shuffler)
>
> [ Where problems could occur ]
>
> * The issue is specific to budgie-desktop users only and is limited to
> one specific capability of budgie i.e. a specific applet or budgie
> application (window previews/window shuffler)
> * If the user space locations - XDG_RUNTIME_DIR or HOME do not exist
> then the applet/budgie application will not capture the image. It is
> considered that it is highly unlikely that a budgie-desktop user will be
> attempting to run a session without a HOME folder location i.e. the
> ultimately fallback each applet/budgie application requires
>
> [ Other Info ]
>
> * The budgie team have tested the above for jammy, lunar and mantic.
> The testing involves applying the debdiff's for each series and building
> via sbuild. The applet/application binaries have then been installed via
> sudo apt install ./appletapplication.deb
> * For noble there will be a version bump from github - v1.7.1 that has
> been/will be uploaded first to Debian unstable before sync'ing to noble.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+subscriptions
>
>

Mark. 14th would be great

David

On Wed, 6 Dec 2023, 17:51 Mark Esler, <2044373@bugs.launchpad.net> wrote:

> Thanks Nishit.
>
> David, can we set the CRD to December 14th?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2044373
>
> Title:
>   CVEs to resolve multi-user accessibility of multiple extras applets
>   and applications
>
> Status in budgie-extras package in Ubuntu:
>   New
> Status in budgie-extras source package in Jammy:
>   New
> Status in budgie-extras source package in Lunar:
>   New
> Status in budgie-extras source package in Mantic:
>   New
> Status in budgie-extras source package in Noble:
>   New
>
> Bug description:
>   Tracking bug report
>
>   DRAFT TO BE COMPLETED
>
>   [ Impact ]
>
>    * The Ubuntu Budgie team have been notified of several issues that
>   require CVE's to be assigned to the budgie-extras package in mantic.
>   budgie-extras is specific to the budgie-desktop and is in the universe
>   repo.  No other flavours use this package.
>
>   The recommendation from the opensuse security team is for one CVE per
>   binary. The report details 4 potential CVEs.  Analysis by the UB team
> have determined a further two CVEs are warranted since the issues
> identified apply to two further binaries.
>
>   Thus a total of 6 CVEs.
>
>   All the CVEs are based around a similar issue - usage of temporary
>   files in /tmp which are easily guessable for a system with two or more
>   users - one user could in theory craft temporary files that would
>   impact another user of these budgie based binaries.
>
>   [ Test Plan ]
>
>    * Since this issue has now switched the stored location to user-space
> the test plan needs to:
>   a) ensure the existing capabilities works as expected;
>   b) verify that /tmp is NOT being used and that the transitory files are
> being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME
> are being used instead.
>
>   Use the following notify script (save as ~/notifydir.sh and chmod +x
>   ~/notifydir.sh) to watch a folder - run it in three tilix sessions:
>
>   #!/bin/bash
>
>   monitor_path="$1"
>
>   inotifywait -m "$monitor_path" -e create -e moved_to |
>       while read path action file; do
>           echo "The file '$file' appeared in directory '$path' via
> '$action'"
>           ls -la "$path/$file"
>       done
>
>   i.e. in session 1 run ~/notifydir.sh /tmp
>   in session 2 run ~/notifydir.sh $XDG_RUNTIME
>   in session 3 run ~/notifydir.sh $HOME
>
>    1. From budgie desktop settings add one of the affected applets:
>   budgie-takeabreak
>   budgie-dropby
>   budgie-clockworks
>   budgie-weathershow
>
>    2a. For takeabreak enable a takeabreak action.
>    2b. For dropby, insert a USB stick and mount the stick
>    2c. For clockworks create another clock
>    2d. For weathershow - change to another location and open the popup to
> show the weather
>    3.
>   For all of the above examine the tilix sessions. Session 1 should not
> show temporary files being written in /tmp. Note you will see other
> temporary files for the operating system in general but that should be
> expected
>
>   Session 2 for UB should show files being written.
>
>   Session 3 for UB should not show any screenshot files being written.
> This is as expected because UB should not normally use the fallback folder.
>     4. Repeat for the other applets
>     5. Repeat but enable budgie window previews by the menu application
> (search for previews)
>     6. Repeat but enable budgie window shuffler by the menu application
> (search for shuffler)
>
>   [ Where problems could occur ]
>
>    * The issue is specific to budgie-desktop users only and is limited to
> one specific capability of budgie i.e. a specific applet or budgie
> application (window previews/window shuffler)
>    * If the user space locations - XDG_RUNTIME_DIR or HOME do not exist
> then the applet/budgie application will not capture the image. It is
> considered that it is highly unlikely that a budgie-desktop user will be
> attempting to run a session without a HOME folder location i.e. the
> ultimately fallback each applet/budgie application requires
>
>   [ Other Info ]
>
>    * The budgie team have tested the above for jammy, lunar and mantic.
>   The testing involves applying the debdiff's for each series and building
> via sbuild.  The applet/application binaries have then been installed via
> sudo apt install ./appletapplication.deb
>    * For noble there will be a version bump from github - v1.7.1 that has
> been/will be uploaded first to Debian unstable before sync'ing to noble.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373/+subscriptions
>
>

Ubuntubudgie-extras package

Comment 13 for bug 2044373

Ubuntu
budgie-extras package