Package: inkscape
Version: 0.92.3-7+b1
Severity: normal
when i use "File»Import Clip Art…", inkscape creates the following
tree of directories with fixed names:
0 dkg@alice:~$ find $TMPDIR/openclipart -ls
3043836 0 drwxr-xr-x 4 dkg dkg 80 Jan 16 10:33
/home/dkg/tmp/openclipart
3043838 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33
/home/dkg/tmp/openclipart/images
3043837 0 drwxr-xr-x 2 dkg dkg 40 Jan 16 10:33
/home/dkg/tmp/openclipart/thumbnails
0 dkg@alice:~$
if $TMPDIR is unset, this happens in the globally-fixed name /tmp/openclipart
I've tried having one user account ("attacker") create
/tmp/openclipart as a symlink to somewhere inside another user
("victim")'s home directory. when the victim user opens inkscape and
chooses "File»Import Clip Art…" it creates the arbitrarily-named
directories "images" and "thumbnails" on their behalf.
This abuse of fixed names in /tmp is a security issue.
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200,
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages inkscape depends on:
ii libaspell15 0.60.7~20110707-5
ii libatk1.0-0 2.30.0-2
ii libatkmm-1.6-1v5 2.28.0-2
ii libc6 2.28-5
ii libcairo2 1.16.0-2
ii libcairomm-1.0-1v5 1.12.2-4
ii libcdr-0.1-1 0.1.5-1
ii libdbus-1-3 1.12.12-1
ii libdbus-glib-1-2 0.110-3
ii libfontconfig1 2.13.1-2
ii libfreetype6 2.9.1-3
ii libgc1c2 1:7.6.4-0.4
ii libgcc1 1:8.2.0-14
ii libgdk-pixbuf2.0-0 2.38.0+dfsg-7
ii libglib2.0-0 2.58.2-3
ii libglibmm-2.4-1v5 2.58.0-2
ii libgomp1 8.2.0-14
ii libgsl23 2.5+dfsg-6
ii libgslcblas0 2.5+dfsg-6
ii libgtk2.0-0 2.24.32-3
ii libgtkmm-2.4-1v5 1:2.24.5-2
ii libgtkspell0 2.0.16-1.2
ii libjpeg62-turbo 1:1.5.2-2+b1
ii liblcms2-2 2.9-3
ii libmagick++-6.q16-8 8:6.9.10.23+dfsg-2
ii libmagickcore-6.q16-6 8:6.9.10.23+dfsg-2
ii libmagickwand-6.q16-6 8:6.9.10.23+dfsg-2
ii libpango-1.0-0 1.42.4-6
ii libpangocairo-1.0-0 1.42.4-6
ii libpangoft2-1.0-0 1.42.4-6
ii libpangomm-1.4-1v5 2.42.0-2
ii libpng16-16 1.6.36-2
ii libpoppler-glib8 0.71.0-2
ii libpoppler82 0.71.0-2
ii libpopt0 1.16-11
ii libpotrace0 1.15-1
ii librevenge-0.0-0 0.0.4-6
ii libsigc++-2.0-0v5 2.10.1-2
ii libstdc++6 8.2.0-14
ii libvisio-0.1-1 0.1.6-1+b2
ii libwpg-0.3-3 0.3.3-1
ii libx11-6 2:1.6.7-1
ii libxml2 2.9.4+dfsg1-7+b3
ii libxslt1.1 1.1.32-2
ii python 2.7.15-3
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages inkscape recommends:
ii aspell 0.60.7~20110707-5
ii fig2dev [transfig] 1:3.2.7a-3
ii imagemagick 8:6.9.10.23+dfsg-2
ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2
pn libimage-magick-perl <none>
pn libwmf-bin <none>
ii python-lxml 4.2.5-1
ii python-numpy 1:1.16.0~rc2-2
pn python-scour <none>
Versions of packages inkscape suggests:
ii dia 0.97.3+git20160930-8.1
ii inkscape-tutorials 0.92.3-7
pn libsvg-perl <none>
pn libxml-xql-perl <none>
pn pstoedit <none>
pn python-uniconvertor <none>
ii ruby 1:2.5.1
-- no debconf information
