Ubuntu
budgie-desktop package

Screenshot could allow image data to be accessible to multiple users

  1. Lunar (23.04)
  2. Bug #2040045
Bug #2040045 reported by fossfreedom
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
budgie-desktop (Ubuntu)
Status tracked in Noble
Lunar
Incomplete
High
fossfreedom
Mantic
Incomplete
High
fossfreedom
Noble
Fix Released
High
fossfreedom

Bug Description

[ Impact ]

 * Analysis by upstream for budgie-desktop has noted that the use of /tmp to pass screenshot images between the server and client dbus elements of budgie-desktop could allow another user sharing the same machine to access the temporary image that was captured on another users session.

This has been resolved by not using an accessible folder location such as /tmp to pass data. Instead a user-space location is used which is not accessible to other users.

Upstream have resolved this in their v10.8.2 release. This issue is suitable to be backported to supported Ubuntu releases that incorporate this screenshot capability

[ Test Plan ]

 * Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing screenshot capability works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.

Use the following notify script (save as ~/notifydir.sh and chmod +x ~/notifydir.sh) to watch a folder - run it in three tilix sessions:

#!/bin/bash

monitor_path="$1"

inotifywait -m "$monitor_path" -e create -e moved_to |
    while read path action file; do
        echo "The file '$file' appeared in directory '$path' via '$action'"
        ls -la "$path/$file"
    done

i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME

 1. From the menu launch budgie-screenshot and take a screenshot of the screen
 2. Save the image and open the image via nemo - double clicking the image will open in a picture editor such as gthumb
 3. Repeat for taking a picture of a window and and area.
 4. Repeat the whole screen screenshot by pressing the keyboard printscreen key

For all of the above examine the tilix sessions. Session 1 should not show temporary screenshot files being written in /tmp (format .budgiescreenshot_tempfile). Note you will see other temporary files for the operating system in general but that should be expected

Session 2 for UB should show screenshot files being written (format .budgiescreenshot_tempfile).

Session 3 for UB should not show any screenshot files being written (format .budgiescreenshot_tempfile). This is as expected because UB should not normally use the fallback folder.

[ Where problems could occur ]

 * The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. its screenshot capability.
 * If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the screenshot capability will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback screenshot requires.

[ Other Info ]

 * None.

See original description
fossfreedom (fossfreedom)
Changed in budgie-desktop (Ubuntu Lunar):
importance: Undecided → High
Changed in budgie-desktop (Ubuntu Mantic):
importance: Undecided → High
Changed in budgie-desktop (Ubuntu Lunar):
assignee: nobody → fossfreedom (fossfreedom)
Changed in budgie-desktop (Ubuntu Mantic):
assignee: nobody → fossfreedom (fossfreedom)
fossfreedom (fossfreedom)
description: updated
information type: Private Security → Public
fossfreedom (fossfreedom)
description: updated
summary: - Screenshot could propagate arbitary image data between multiple users
+ Screenshot could allow image data to be accessible to multiple users
fossfreedom (fossfreedom)
Changed in budgie-desktop (Ubuntu Lunar):
status: New → In Progress
Changed in budgie-desktop (Ubuntu Mantic):
status: New → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

This needs an upload for noble before it can be accepted as SRU.

fossfreedom (fossfreedom)
Changed in budgie-desktop (Ubuntu Noble):
status: In Progress → Fix Committed
Revision history for this message
fossfreedom (fossfreedom) wrote :

@vorlon - noble has been updated. thx.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package budgie-desktop - 10.8-2ubuntu4

---------------
budgie-desktop (10.8-2ubuntu4) noble; urgency=medium

  * Bug-fix
    - Use user-space location to pass screenshot data in a user session
      (LP: #2040045)

 -- David Mohammed <email address hidden> Tue, 07 Nov 2023 18:27:06 +0000

Changed in budgie-desktop (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hi,

thanks for this fix.

I don't think the [Test Plan] is enough to verify the fix, however. The screenshot functionality would still be working even if the fix wasn't applied.

You need to verify that /tmp is no longer being used, and that $XDG_RUNTIME_DIR or $HOME are used instead.

Here are some suggestions:
- if the screenshot file stays around for a while, you can verify that it's not in /tmp but find it in $XDG_RUNTIME_DIR or $HOME
- if the temporary file is quickly deleted, maybe you can use opensnoop.bt (from bpftrace) or an inotify mechanism to catch it being created and thus prove where it is being created from now on. A notify script I used a while ago to watch a directory:

#!/bin/bash

monitor_path="$1"

inotifywait -m "$monitor_path" -e create -e moved_to |
    while read path action file; do
        echo "The file '$file' appeared in directory '$path' via '$action'"
        ls -la "$path/$file"
    done

Changed in budgie-desktop (Ubuntu Mantic):
status: In Progress → Incomplete
Changed in budgie-desktop (Ubuntu Lunar):
status: In Progress → Incomplete
fossfreedom (fossfreedom)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

I just checked and in the not-fixed case, the screenshot is saved in /tmp with:
- permissions 0664 (world readable)
- fixed name:

-rw-rw-r-- 1 ubuntu ubuntu 0 Nov 16 14:00 /tmp//ubuntu_budgiescreenshot_tempfile

This is susceptible to a symlink attack. To test, I created a symlink pointing at ~/.bashrc:

ubuntu@budgie:~$ ln -s /home/ubuntu/.bashrc /tmp/ubuntu_budgiescreenshot_tempfile
ubuntu@budgie:~$ ls -la /tmp/ubuntu_budgiescreenshot_tempfile
lrwxrwxrwx 1 ubuntu ubuntu 20 Nov 16 14:07 /tmp/ubuntu_budgiescreenshot_tempfile -> /home/ubuntu/.bashrc
ubuntu@budgie:~$ ls -la /home/ubuntu/.bashrc
-rw-r--r-- 1 ubuntu ubuntu 3830 Apr 11 2023 /home/ubuntu/.bashrc

Then I took a screenshot, and ~/.bashrc was replaced by the screenshot:
buntu@budgie:~$ ls -la /tmp/ubuntu_budgiescreenshot_tempfile /home/ubuntu/.bashrc
ls: cannot access '/tmp/ubuntu_budgiescreenshot_tempfile': No such file or directory
-rw-r--r-- 1 ubuntu ubuntu 256274 Nov 16 14:08 /home/ubuntu/.bashrc
ubuntu@budgie:~$ file /home/ubuntu/.bashrc
/home/ubuntu/.bashrc: PNG image data, 1920 x 1043, 8-bit/color RGBA, non-interlaced

@ubuntu-security, should this become a security update? Due to:
a) predictable filename in a world-writable directory
b) world-readable screenshot
c) follow-symlink

Note that the fix proposed here only changes the location of the file to not be in /tmp. It will be, in order, XDG_RUNTIME_DIR, and then HOME as a fallback.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.