Tickeys-linux icon indicating copy to clipboard operation
Tickeys-linux copied to clipboard

Published 20 hours ago verified publisher icon BillBillBillBill

Security issue with /tmp/tickeys.log and /tmp/tickeys_terminal_window_id

Open hartwork opened this issue 8 years ago • 4 comments

Hi there!

Using predictable paths in a word-writable directory like /tmp is a security risk, as other users can run soft- and hardlinks attacks on us, for instance. Affected paths are:

  • /tmp/tickeys.log
  • /tmp/tickeys_terminal_window_id

As your use is not of classic tempfile nature, for a fix maybe use ${HOME}/.tickeys/..... instead.

For /tmp/ktexturecompress......... please use the tempfile module for mitigation, instead.

Thanks and best, Sebastian

hartwork avatar Aug 14 '16 20:08 hartwork

Hi, thank you for your advice, you are wrong, I will fix it in the next version:)

BillBillBillBill avatar Aug 15 '16 16:08 BillBillBillBill

Any news?

hartwork avatar Jan 21 '17 23:01 hartwork

alreay fixed:)

BillBillBillBill avatar Jan 22 '17 13:01 BillBillBillBill

It seems that the related commits are not contained in any release, yet. Please make a new release containing these fixes. Many thanks!

For the record, I found mentioned fixes here:

  • /tmp/tickeys.log to ~/.tickeys/tickeys.log https://github.com/BillBillBillBill/Tickeys-linux/commit/807eb9fefd0013ded02675310eee0f7e53b71f05#diff-d79de8b43cb95c46454c797e0e693bdfR15
  • /tmp/tickeys_terminal_window_id to ~/.tickeys/tickeys_terminal_window_id https://github.com/BillBillBillBill/Tickeys-linux/commit/b31843c2b4500df2e89390850aeb0bcf6734879d#diff-0a3658c777763b6f4489189174780936R9

hartwork avatar Jan 22 '17 14:01 hartwork