Your message dated Wed, 29 Jan 2020 12:19:16 +0100
with message-id <20200129111916.ga427...@mapreri.org>
and subject line Re: Bug#919489: inkscape: trying to use "Import Clip Art" uses
fixed names in /tmp (or $TMPDIR)
has caused the Debian Bug report #919489,
regarding inkscape: trying to use "Import Clip Art" uses fixed names in /tmp
(or $TMPDIR)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
919489: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919489
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: inkscape
Version: 0.92.3-7+b1
Severity: normal
when i use "File»Import Clip Art…", inkscape creates the following
tree of directories with fixed names:
0 dkg@alice:~$ find $TMPDIR/openclipart -ls
3043836 0 drwxr-xr-x 4 dkg dkg 80 Jan 16 10:33
/home/dkg/tmp/openclipart
3043838 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33
/home/dkg/tmp/openclipart/images
3043837 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33
/home/dkg/tmp/openclipart/thumbnails
0 dkg@alice:~$
if $TMPDIR is unset, this happens in the globally-fixed name /tmp/openclipart
I've tried having one user account ("attacker") create
/tmp/openclipart as a symlink to somewhere inside another user
("victim")'s home directory. when the victim user opens inkscape and
chooses "File»Import Clip Art…" it creates the arbitrarily-named
directories "images" and "thumbnails" on their behalf.
This abuse of fixed names in /tmp is a security issue.
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200,
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages inkscape depends on:
ii libaspell15 0.60.7~20110707-5
ii libatk1.0-0 2.30.0-2
ii libatkmm-1.6-1v5 2.28.0-2
ii libc6 2.28-5
ii libcairo2 1.16.0-2
ii libcairomm-1.0-1v5 1.12.2-4
ii libcdr-0.1-1 0.1.5-1
ii libdbus-1-3 1.12.12-1
ii libdbus-glib-1-2 0.110-3
ii libfontconfig1 2.13.1-2
ii libfreetype6 2.9.1-3
ii libgc1c2 1:7.6.4-0.4
ii libgcc1 1:8.2.0-14
ii libgdk-pixbuf2.0-0 2.38.0+dfsg-7
ii libglib2.0-0 2.58.2-3
ii libglibmm-2.4-1v5 2.58.0-2
ii libgomp1 8.2.0-14
ii libgsl23 2.5+dfsg-6
ii libgslcblas0 2.5+dfsg-6
ii libgtk2.0-0 2.24.32-3
ii libgtkmm-2.4-1v5 1:2.24.5-2
ii libgtkspell0 2.0.16-1.2
ii libjpeg62-turbo 1:1.5.2-2+b1
ii liblcms2-2 2.9-3
ii libmagick++-6.q16-8 8:6.9.10.23+dfsg-2
ii libmagickcore-6.q16-6 8:6.9.10.23+dfsg-2
ii libmagickwand-6.q16-6 8:6.9.10.23+dfsg-2
ii libpango-1.0-0 1.42.4-6
ii libpangocairo-1.0-0 1.42.4-6
ii libpangoft2-1.0-0 1.42.4-6
ii libpangomm-1.4-1v5 2.42.0-2
ii libpng16-16 1.6.36-2
ii libpoppler-glib8 0.71.0-2
ii libpoppler82 0.71.0-2
ii libpopt0 1.16-11
ii libpotrace0 1.15-1
ii librevenge-0.0-0 0.0.4-6
ii libsigc++-2.0-0v5 2.10.1-2
ii libstdc++6 8.2.0-14
ii libvisio-0.1-1 0.1.6-1+b2
ii libwpg-0.3-3 0.3.3-1
ii libx11-6 2:1.6.7-1
ii libxml2 2.9.4+dfsg1-7+b3
ii libxslt1.1 1.1.32-2
ii python 2.7.15-3
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages inkscape recommends:
ii aspell 0.60.7~20110707-5
ii fig2dev [transfig] 1:3.2.7a-3
ii imagemagick 8:6.9.10.23+dfsg-2
ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2
pn libimage-magick-perl <none>
pn libwmf-bin <none>
ii python-lxml 4.2.5-1
ii python-numpy 1:1.16.0~rc2-2
pn python-scour <none>
Versions of packages inkscape suggests:
ii dia 0.97.3+git20160930-8.1
ii inkscape-tutorials 0.92.3-7
pn libsvg-perl <none>
pn libxml-xql-perl <none>
pn pstoedit <none>
pn python-uniconvertor <none>
ii ruby 1:2.5.1
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1.0_beta2-1
On Tue, Jan 22, 2019 at 03:43:42PM +0100, Mattia Rizzolo wrote:
> Control: forwarded -1 https://bugs.launchpad.net/inkscape/+bug/1812862
> Control: tags -1 upstream
>
> On Wed, Jan 16, 2019 at 10:45:59AM -0500, Daniel Kahn Gillmor wrote:
> > This abuse of fixed names in /tmp is a security issue.
>
> Forwarded upstream, thank you.
The whole clip part thing has been removed in this version, so I'm
closing this bug.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
--- End Message ---
