Patch CVE-2023-43782: Use of Fixed Temporary File Path in /tmp/.cadence-aloop-daemon.x

Apply SuSE fix for CVE-2023-43782 (by Matthias Gerstner) 0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch https://bugzilla.suse.com/show_bug.cgi?id=1213983
2024-01-07 16:52:58 +02:00 · 2024-01-07 16:52:58 +02:00 · 5099c9152b
parent 556859c0af
commit 5099c9152b
3 changed files with 13 additions and 3 deletions
--- a/src/cadence.py
+++ b/src/cadence.py
@ -38,6 +38,7 @@ import ui_cadence_tb_alsa
 import ui_cadence_tb_a2j
 import ui_cadence_tb_pa
 import ui_cadence_rwait
+from shared import getDaemonLockfile
 from shared_cadence import *
 from shared_canvasjack import *
 from shared_settings import *
@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW):

    @pyqtSlot()
    def slot_AlsaBridgeStop(self):
-        checkFile = "/tmp/.cadence-aloop-daemon.x"
+        checkFile = self.getDaemonLockfile("cadence-aloop-daemon")
        if os.path.exists(checkFile):
            os.remove(checkFile)

--- a/src/cadence_aloop_daemon.py
+++ b/src/cadence_aloop_daemon.py
@ -33,6 +33,7 @@ else:
 # Imports (Custom Stuff)

 import jacklib
+from shared import getDaemonLockfile

 # --------------------------------------------------
 # Auto re-activate if on good kernel
@ -50,7 +51,7 @@ doRunNow  = True
 useZita   = False
 procIn    = QProcess()
 procOut   = QProcess()
-checkFile = "/tmp/.cadence-aloop-daemon.x"
+checkFile = getDaemonLockfile("cadence-aloop-daemon")

 # --------------------------------------------------
 # Global JACK variables
@ -161,7 +162,7 @@ if __name__ == '__main__':
    client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None)

    if not client:
-        print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it")
+        print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile))
        quit()

    if jacklib.JACK2:
--- a/src/shared.py
+++ b/src/shared.py
@ -312,3 +312,11 @@ def setIcons(self_, modes):
    if "misc" in modes:
        gGui.ui.act_quit.setIcon(getIcon("application-exit"))
        gGui.ui.act_configure.setIcon(getIcon("configure"))
+
+def getDaemonLockfile(base):
+    lockdir = os.environ.get("XDG_RUNTIME_DIR", None)
+    if not lockdir:
+        lockdir = os.path.expanduser("~")
+
+    return os.path.join(lockdir, "{}-lock".format(base))
+