Headline
Ubuntu Security Notice USN-6556-1
Ubuntu Security Notice 6556-1 - It was discovered that Budgie Extras incorrectly handled certain temporary file paths. An attacker could possibly use this issue to inject false information or deny access to the application. Matthias Gerstner discovered that Budgie Extras incorrectly handled certain temporary file paths. A local attacker could use this to inject arbitrary PNG data in this path and have it displayed on the victim’s desktop or deny access to the application.
==========================================================================
Ubuntu Security Notice USN-6556-1
December 14, 2023
budgie-extras vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in budgie-extras.
Software Description:
- budgie-extras: Applet to provide an alternative means to launch applications
Details:
It was discovered that Budgie Extras incorrectly handled certain temporary file paths.
An attacker could possibly use this issue to inject false information or deny
access to the application. (CVE-2023-49342, CVE-2023-49343, CVE-2023-49347)
Matthias Gerstner discovered that Budgie Extras incorrectly handled certain
temporary file paths. A local attacker could use this to inject arbitrary PNG
data in this path and have it displayed on the victim’s desktop or deny access
to the application. (CVE-2023-49344)
Matthias Gerstner discovered that Budgie Extras incorrectly handled certain
temporary file paths. A local attacker could use this to inject false information
or deny access to the application. (CVE-2023-49345, CVE-2023-49346)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
budgie-clockworks-applet 1.7.0-3.0ubuntu1
budgie-dropby-applet 1.7.0-3.0ubuntu1
budgie-previews 1.7.0-3.0ubuntu1
budgie-takeabreak-applet 1.7.0-3.0ubuntu1
budgie-weathershow-applet 1.7.0-3.0ubuntu1
Ubuntu 23.04:
budgie-clockworks-applet 1.6.0-1ubuntu0.1
budgie-dropby-applet 1.6.0-1ubuntu0.1
budgie-previews-applet 1.6.0-1ubuntu0.1
budgie-takeabreak-applet 1.6.0-1ubuntu0.1
budgie-weathershow-applet 1.6.0-1ubuntu0.1
Ubuntu 22.04 LTS:
budgie-clockworks-applet 1.4.0-1ubuntu3.1
budgie-dropby-applet 1.4.0-1ubuntu3.1
budgie-previews-applet 1.4.0-1ubuntu3.1
budgie-takeabreak-applet 1.4.0-1ubuntu3.1
budgie-weathershow-applet 1.4.0-1ubuntu3.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6556-1
CVE-2023-49342, CVE-2023-49343, CVE-2023-49344, CVE-2023-49345,
CVE-2023-49346, CVE-2023-49347
Package Information:
https://launchpad.net/ubuntu/+source/budgie-extras/1.7.0-3.0ubuntu1
https://launchpad.net/ubuntu/+source/budgie-extras/1.6.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/budgie-extras/1.4.0-1ubuntu3.1
Related news
Temporary data passed between application components by Budgie Extras Clockworks applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
Temporary data passed between application components by Budgie Extras Dropby applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
Temporary data passed between application components by Budgie Extras Window Shuffler applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
Temporary data passed between application components by Budgie Extras Takeabreak applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
Temporary data passed between application components by Budgie Extras WeatherShow applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.