Source: tuxpaint Version: 1:0.9.23-1 Severity: important Tags: security tuxpaint runs "HOME=/tmp kbuildsycoca5" during build. I'm not exactly sure what this does, but I see a number of issues with doing so:
* kbuildsycoca5 reads /tmp/.config/QtProject/qtlogging.ini. I'm not sure whether that can be turned into a privilege escalation. * kbuildsycoca5 reads various locales from /tmp. Again I'm not sure whether malicious locales could be used to take over the process. * kbuildsycoca5 tries to create a directory /tmp/.cache. If that location is occupied with a regular file, the build fails (FTBFS). * kbuildsycoca5 reads /tmp/.config/kbuildsycoca5rc. This looks like plenty of surface and the chances that this code is fully covered against that scenario are dim. It seems very likely, that a privilege escalation is underneath. Using HOME=/tmp looks like a recipe for desaster. I question the need to call this at all during a package build. kbuildsycoca5 is meant to modify a per-user cache, but that cache is not installed into the binary package. Possibly removing the command is the simplest fix. Helmut
