*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
compiz-fusion-plugins-extra includes a "crash handler" plugin - the source of
this program can be found at src/crashhandler/crashhandler.c. In the source
file the function crash_handler() - executes some debugging commands after
compiz crashes (I sent it a SIGABRT as a test :) ) it performs some debugging
before dumping the output to /tmp/gdb.tmp (which gets deleted) and placed into
the configured crash directory (which by default is /tmp). In both cases the
program does not verify if the files already exist or a symbolic links.
Note: A user would need to have the compiz-fusion-plugins-extra installed and
enable the crash-handler plugin.
The vulnerable code is the following:
// backtrace
char cmd[1024];
snprintf (cmd, 1024,
"echo -e \"set prompt\nthread apply all bt full\n"
"echo \\\\\\n\necho \\\\\\n\nbt\nquit\" > /tmp/gdb.tmp;"
"gdb -q %s %i < /tmp/gdb.tmp | "
"grep -v \"No symbol table\" | "
"tee %s/compiz_crash-%i.out; rm -f /tmp/gdb.tmp; "
"echo \"\n[CRASH_HANDLER]: "
"\\\"%s/compiz_crash-%i.out\\\" created!\n\"",
programName, getpid (), crashhandlerGetDirectory (cDisplay),
getpid (), crashhandlerGetDirectory (cDisplay), getpid () );
system (cmd);
** Affects: compiz-plugins-extra (Ubuntu)
Importance: Undecided
Status: New
--
compiz-fusion-plugins-extra includes a "crash handler" plugin
https://bugs.launchpad.net/bugs/835525
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
