Ubuntu
ubuntu-ui-toolkit package

StateSaver serializes potentially sensitive data under /tmp, doesn’t use O_EXCL

  1. Trusty (14.04)
  2. Bug #1348241
Bug #1348241 reported by Olivier Tilloy
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu UI Toolkit
Fix Released
Critical
Zsombor Egri
ubuntu-ui-toolkit (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Confirmed
Low
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
New
Undecided
Unassigned

Bug Description

This issue applies to desktop only, where StateSaver serializes data in files under /tmp. On devices, confined applications have their own TMPDIR, which makes it a non-issue, as far as I understand it.

StateSaver uses QSettings under the hood to persist data on disk, which issues a plain QFile::open(QFile::ReadWrite) call to open the file, which does not set the O_EXCL flag.

This makes it vulnerable to symlink attacks.

Using QTemporaryFile would solve this issue, but it might not be easy to do with QSettings.

See original description
Tags: statesaver

Related branches

lp://qastaging/~zsombi/ubuntu-ui-toolkit/statesaver-path
PS Jenkins bot: Approve (continuous-integration)
Cris Dywan: Approve
Diff: 24 lines (+2/-2)
2 files modified
modules/Ubuntu/Components/plugin/statesaverbackend_p.cpp (+1/-1)
tests/unit_x11/tst_statesaver/tst_statesaver.cpp (+1/-1)

CVE References

Olivier Tilloy (osomon)
description: updated
Zsombor Egri (zsombi)
Changed in ubuntu-ui-toolkit:
assignee: nobody → Zsombor Egri (zsombi)
tags: added: statesaver
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

from modules/Ubuntu/Components/plugin/statesaverbackend_p.cpp:

    m_archive = new QSettings(QString("%1/%2.state")
                              .arg(QStandardPaths::standardLocations(QStandardPaths::TempLocation)[0])
                              .arg(applicationName), QSettings::NativeFormat);

QStandardPaths::TempLocation is /tmp by default.

This gets CVE-2014-1420

Changed in ubuntu-ui-toolkit (Ubuntu Trusty):
status: New → Confirmed
Changed in ubuntu-ui-toolkit (Ubuntu Utopic):
status: New → Confirmed
Revision history for this message
Zsombor Egri (zsombi) wrote :

Yes, the temp folder has been used until we get a proper path for it. Seems we can use XDG_RUNTIME_DIR i.e. QStandardPaths::RuntimeLocation for it as it will be cleared on reboot same way as /tmp is.

Revision history for this message
Zsombor Egri (zsombi) wrote :

I'm afraid we are not gonna be able to fix this for Trusty, only for Utopic. We have been asked not to back port toolkit to Trusty.

Changed in ubuntu-ui-toolkit:
importance: Undecided → Critical
status: New → Confirmed
Changed in ubuntu-ui-toolkit (Ubuntu Trusty):
status: Confirmed → Invalid
Revision history for this message
Olivier Tilloy (osomon) wrote :

Then the status should probably be "Won’t Fix", not "Invalid".

Revision history for this message
Zsombor Egri (zsombi) wrote :

I'm sorry, Olivier, I cannot set it to "Won't fix". It doesn't let me do that.

David Planella (dpm)
Changed in ubuntu-ui-toolkit (Ubuntu Trusty):
status: Invalid → Won't Fix
Zsombor Egri (zsombi)
Changed in ubuntu-ui-toolkit:
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Not fixing this for trusty is not an option. This package is in the main pocket, which means it is officially supported for the life of the LTS release, including security updates.

If someone can confirm that the fix in the merge request above also applies to Trusty, the security team can push out the fix.

Changed in ubuntu-ui-toolkit (Ubuntu Trusty):
status: Won't Fix → Confirmed
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:~ubuntu-sdk-team/ubuntu-ui-toolkit/staging at revision None, scheduled for release in ubuntu-ui-toolkit, milestone Unknown

Changed in ubuntu-ui-toolkit:
status: In Progress → Fix Committed
Revision history for this message
Zsombor Egri (zsombi) wrote :

Marc, as you said, Trusty has this, and therefore the fix also applies to Trusty too.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This was fixed in ubuntu-ui-toolkit (1.1.1188+14.10.20140813.4-0ubuntu1)
by http://bazaar.launchpad.net/~ubuntu-sdk-team/ubuntu-ui-toolkit/staging/revision/1182

information type: Private Security → Public Security
Changed in ubuntu-ui-toolkit (Ubuntu Utopic):
status: Confirmed → Fix Released
Changed in ubuntu-ui-toolkit (Ubuntu Trusty):
importance: Undecided → Low
Zoltan Balogh (bzoltan)
Changed in ubuntu-ui-toolkit:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.