snailed
/
void-packages
2
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity
void-packages/srcpkgs/cadence/patches/CVE-2023-43782.patch

90 lines
3.0 KiB
Diff
Raw Blame History

From 986a26147fa85fc3b2727a13c478b12994555e4a Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 22 Aug 2023 14:06:40 +0200
Subject: [PATCH] cadence_aloop_daemon: place lockfile into non-public
directory
The fixed /tmp path for the lock / shutdown handling of the daemon is
problematic security wise, since any other user in the system can block
this path. This also makes parallel instances for multiple user accounts
impossible.
Select a location in the user's /run directory or in its home directory
(as a fallback).
---
src/cadence.py | 3 ++-
src/cadence_aloop_daemon.py | 5 +++--
src/shared.py | 8 ++++++++
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/cadence.py b/src/cadence.py
index 87a14a8..714e2d6 100755
--- a/src/cadence.py
+++ b/src/cadence.py
@@ -38,6 +38,7 @@ import ui_cadence_tb_alsa
import ui_cadence_tb_a2j
import ui_cadence_tb_pa
import ui_cadence_rwait
+from shared import getDaemonLockfile
from shared_cadence import *
from shared_canvasjack import *
from shared_settings import *
@@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW):
@pyqtSlot()
def slot_AlsaBridgeStop(self):
- checkFile = "/tmp/.cadence-aloop-daemon.x"
+ checkFile = self.getDaemonLockfile("cadence-aloop-daemon")
if os.path.exists(checkFile):
os.remove(checkFile)
diff --git a/src/cadence_aloop_daemon.py b/src/cadence_aloop_daemon.py
index c8408ef..b53f64d 100755
--- a/src/cadence_aloop_daemon.py
+++ b/src/cadence_aloop_daemon.py
@@ -33,6 +33,7 @@ else:
# Imports (Custom Stuff)
import jacklib
+from shared import getDaemonLockfile
# --------------------------------------------------
# Auto re-activate if on good kernel
@@ -50,7 +51,7 @@ doRunNow = True
useZita = False
procIn = QProcess()
procOut = QProcess()
-checkFile = "/tmp/.cadence-aloop-daemon.x"
+checkFile = getDaemonLockfile("cadence-aloop-daemon")
# --------------------------------------------------
# Global JACK variables
@@ -161,7 +162,7 @@ if __name__ == '__main__':
client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None)
if not client:
- print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it")
+ print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile))
quit()
if jacklib.JACK2:
diff --git a/src/shared.py b/src/shared.py
index 2df4d54..e65d292 100644
--- a/src/shared.py
+++ b/src/shared.py
@@ -312,3 +312,11 @@ def setIcons(self_, modes):
if "misc" in modes:
gGui.ui.act_quit.setIcon(getIcon("application-exit"))
gGui.ui.act_configure.setIcon(getIcon("configure"))
+
+def getDaemonLockfile(base):
+ lockdir = os.environ.get("XDG_RUNTIME_DIR", None)
+ if not lockdir:
+ lockdir = os.path.expanduser("~")
+
+ return os.path.join(lockdir, "{}-lock".format(base))
+
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink