touch-packages team mailing list archive

Thread
Date

[Bug 1348241] Re: StateSaver serializes potentially sensitive data under /tmp, doesn’t use O_EXCL

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Fri, 05 Sep 2014 14:13:15 -0000
Reply-to: Bug 1348241 <1348241@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This was fixed in ubuntu-ui-toolkit (1.1.1188+14.10.20140813.4-0ubuntu1)
by http://bazaar.launchpad.net/~ubuntu-sdk-team/ubuntu-ui-toolkit/staging/revision/1182

** Information type changed from Private Security to Public Security

** Changed in: ubuntu-ui-toolkit (Ubuntu Utopic)
       Status: Confirmed => Fix Released

** Changed in: ubuntu-ui-toolkit (Ubuntu Trusty)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-ui-toolkit in
Ubuntu.
https://bugs.launchpad.net/bugs/1348241

Title:
  StateSaver serializes potentially sensitive data under /tmp, doesn’t
  use O_EXCL

Status in Ubuntu UI Toolkit:
  Fix Committed
Status in “ubuntu-ui-toolkit” package in Ubuntu:
  Fix Released
Status in “ubuntu-ui-toolkit” source package in Trusty:
  Confirmed
Status in “ubuntu-ui-toolkit” source package in Utopic:
  Fix Released

Bug description:
  This issue applies to desktop only, where StateSaver serializes data
  in files under /tmp. On devices, confined applications have their own
  TMPDIR, which makes it a non-issue, as far as I understand it.

  StateSaver uses QSettings under the hood to persist data on disk,
  which issues a plain QFile::open(QFile::ReadWrite) call to open the
  file, which does not set the O_EXCL flag.

  This makes it vulnerable to symlink attacks.

  Using QTemporaryFile would solve this issue, but it might not be easy
  to do with QSettings.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1348241/+subscriptions