Package: xbindkeys-config
Version: 0.1.3-2
Severity: important
Tags: security
If you use this program and "view generated file" the current output
will be saved to the file /tmp/xbindkeysrc-tmp.
This allows the corruption of any file the user has permission to write
to.
Later this predictable file is used to execute commands:
/*****************************************************************************/
void middle_apply_action(GtkWidget *parent, void *data)
{
unlink(TEMP_FILE);
save_file(TEMP_FILE);
system("killall -9 xbindkeys");
usleep(500);
/* printf("****\n\noutput = %d\n\n****",system("xbindkeys -f " TEMP_FILE ));
*/
system("xbindkeys -f " TEMP_FILE );
}
Really most of this complexity could go away if we just assumed the
editor would write to a file the user specified, or ~/.xbindkeysrc.
Given the number of bugs that have been untouched for a long time this
package should probably not go into the Jessie release without a good
update.
Regardless this is a classic case of insecure-temporary files and should
almost certainly have a CVE ID allocated.
Steve
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xbindkeys-config depends on:
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u6
ii libcairo2 1.12.2-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libpango1.0-0 1.30.0-1
ii xbindkeys 1.8.5-1
ii zlib1g 1:1.2.7.dfsg-13
xbindkeys-config recommends no packages.
xbindkeys-config suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
