Bug#915859: [Pkg-privacy-maintainers] Bug#915859: uses a fixed filename in /tmp
Hi! Salvatore Bonaccorso: > So it will additionally allow potentially denial of service on > multi-user systems. > > Not sure if the grave severity is warranted, though, will leave this > discussion to you both :) Ack, grave sounds a bit grave. > For tracking the issue, I have requested a CVE from MITRE, which got > assigned CVE-2018-19960. Thank you. I've asked upstream to fix it yesterday, and they did. So I'll upload a newer version of onionshare a bit later this week (probably not today though). Cheers! u.
Bug#915859: [Pkg-privacy-maintainers] Bug#915859: uses a fixed filename in /tmp
Conrol: retitle -1 onionshare: CVE-2018-19960: uses a fixed filename in /tmp Hi, So it will additionally allow potentially denial of service on multi-user systems. Not sure if the grave severity is warranted, though, will leave this discussion to you both :) For tracking the issue, I have requested a CVE from MITRE, which got assigned CVE-2018-19960. Regards, Salvatore
Bug#915859: [Pkg-privacy-maintainers] Bug#915859: uses a fixed filename in /tmp
On Fri, 07 Dec 2018, intrigeri wrote: > Hi, > > Peter Palfrader: > > onionshare uses /tmp/onionshare_server.log as a logfile with --debug. > > Good catch! > > While that code obviously conflicts with basic secure programming best > practices, it seems to me that the default settings of the > fs.protected_symlinks and fs.protected_hardlinks sysctls protect > Debian users against exploitation, so I find RC severity hard to > justify given this only affects users who manually pass --debug under > a non-default sysctl/kernel configuration. > > In any case, this should be fixed :) In addition to the security issues of bad tempfile handling, it causes onionshare to break for me as on this system several users run onionshare. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Bug#915859: [Pkg-privacy-maintainers] Bug#915859: uses a fixed filename in /tmp
Hi, Peter Palfrader: > onionshare uses /tmp/onionshare_server.log as a logfile with --debug. Good catch! While that code obviously conflicts with basic secure programming best practices, it seems to me that the default settings of the fs.protected_symlinks and fs.protected_hardlinks sysctls protect Debian users against exploitation, so I find RC severity hard to justify given this only affects users who manually pass --debug under a non-default sysctl/kernel configuration. In any case, this should be fixed :) Cheers, -- intrigeri