> On May 12, 2015, 3:49 p.m., Jan Kundrát wrote: > > Was the old code a part of some release? If yes, this should get a CVE > > security announcement because it allows a local attacker to e.g. force you > > to overwirte some of your user's files. > > Michael Palimaka wrote: > It looks like it was introduced in > 999e774b3ce117598df2029364bd10f4347be81c and released in 0.2.0 and later. > > Frank Reininghaus wrote: > Could you elaborate on how such an attack would work? Even if we ignore > that the code in question is part of an autotest which is probably never > installed anywhere, such that systems of packagers, developers and users who > build from source are the only possible targets, I really don't see how an > attacker could use the code to cause any unintended damage. Anyone who runs > the test regularly creates and deletes the file /tmp/kpeople_test_db already, > so what other damage could a local attacker cause?
I didn't realize that it's in autotests -- I apparently noticed just the basename of that file, observed that there's no "test" in what I saw, and concluded that it's exploitable. You're right that if it's unpackaged, then issuing a CVE doesn't make sense. On the other hand, if this wasn't in an autotest but instead a part of regular operation, something simple such as `ln -s .ssh/id_rsa /tmp/kpeople_test_db` by an attacker would cause any app using this library to remove user's vital file. Sorry for noise. - Jan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/123724/#review80247 ----------------------------------------------------------- On May 12, 2015, 12:49 p.m., Michael Palimaka wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/123724/ > ----------------------------------------------------------- > > (Updated May 12, 2015, 12:49 p.m.) > > > Review request for KDE Frameworks and KDEPIM. > > > Repository: kpeople > > > Description > ------- > > Hardcoding files like this seems like a bad idea. > > > Diffs > ----- > > autotests/persondatatests.h 30eeeb5cd647c713f1b438543a54516ced9f3ede > autotests/persondatatests.cpp 73098d3717509ad80761bbd02000b4ce5060bbb2 > autotests/personsmodeltest.h 5b8879521f334459c4f73c2708b3368c543e40a3 > autotests/personsmodeltest.cpp b19d1baf8a2c2e617d4b6128df29fbab3b8e61a7 > > Diff: https://git.reviewboard.kde.org/r/123724/diff/ > > > Testing > ------- > > Tests still pass. > > > Thanks, > > Michael Palimaka > >
_______________________________________________ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
