Package: kylin-nm Version: 3.0.3.1-1 Severity: grave Tags: security Justification: user security hole
Hi,
the kylin_network_get_activecon_info() function in
src/kylin-network-interface.c uses predictable filenames under /tmp
and invokes system() on it:
| activecon *kylin_network_get_activecon_info()
| {
| struct passwd *pwd;
| pwd = getpwuid(getuid());
| char *name = pwd->pw_name;
| char *tmpPrefix = "/tmp/kylin-nm-activecon-";
| char *chr = "nmcli connection show -active > ";
|
| char *cmd;
| asprintf(&cmd, "%s%s%s", chr, tmpPrefix, name);
| char *path;
| asprintf(&path, "%s%s", tmpPrefix, name);
| int status = system(cmd);
| if (status != 0)
| syslog(LOG_ERR, "execute 'nmcli connection show -active' in function
'kylin_network_get_activecon_info' failed");
| free(cmd);
Predictable filenames under /tmp and executing system() on it is
highly problematic and a potential security issue. It should instead
use e.g. mkstemp() and the execl-family of functions or similar.
FTR: the same code is present also in ukui-screensaver, which seems
to have a copy of the KylinNM source code included.
regards
-mika-
signature.asc
Description: PGP signature
