Review Request 123724: Use QTemporaryFile instead of hardcoding /tmp.

Jan Kundrát jkt at kde.org
Tue May 12 19:33:14 UTC 2015 


> On May 12, 2015, 3:49 p.m., Jan Kundrát wrote:
> > Was the old code a part of some release? If yes, this should get a CVE security announcement because it allows a local attacker to e.g. force you to overwirte some of your user's files.
> 
> Michael Palimaka wrote:
>     It looks like it was introduced in 999e774b3ce117598df2029364bd10f4347be81c and released in 0.2.0 and later.
> 
> Frank Reininghaus wrote:
>     Could you elaborate on how such an attack would work? Even if we ignore that the code in question is part of an autotest which is probably never installed anywhere, such that systems of packagers, developers and users who build from source are the only possible targets, I really don't see how an attacker could use the code to cause any unintended damage. Anyone who runs the test regularly creates and deletes the file /tmp/kpeople_test_db already, so what other damage could a local attacker cause?

I didn't realize that it's in autotests -- I apparently noticed just the basename of that file, observed that there's no "test" in what I saw, and concluded that it's exploitable. You're right that if it's unpackaged, then issuing a CVE doesn't make sense.

On the other hand, if this wasn't in an autotest but instead a part of regular operation, something simple such as `ln -s .ssh/id_rsa /tmp/kpeople_test_db` by an attacker would cause any app using this library to remove user's vital file.

Sorry for noise.


- Jan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/123724/#review80247
-----------------------------------------------------------


On May 12, 2015, 12:49 p.m., Michael Palimaka wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/123724/
> -----------------------------------------------------------
> 
> (Updated May 12, 2015, 12:49 p.m.)
> 
> 
> Review request for KDE Frameworks and KDEPIM.
> 
> 
> Repository: kpeople
> 
> 
> Description
> -------
> 
> Hardcoding files like this seems like a bad idea.
> 
> 
> Diffs
> -----
> 
>   autotests/persondatatests.h 30eeeb5cd647c713f1b438543a54516ced9f3ede 
>   autotests/persondatatests.cpp 73098d3717509ad80761bbd02000b4ce5060bbb2 
>   autotests/personsmodeltest.h 5b8879521f334459c4f73c2708b3368c543e40a3 
>   autotests/personsmodeltest.cpp b19d1baf8a2c2e617d4b6128df29fbab3b8e61a7 
> 
> Diff: https://git.reviewboard.kde.org/r/123724/diff/
> 
> 
> Testing
> -------
> 
> Tests still pass.
> 
> 
> Thanks,
> 
> Michael Palimaka
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20150512/b1fa8467/attachment.html>

More information about the Kde-frameworks-devel mailing list