CVE-2023-49345

Vulnerability

The Budgie Extras Takeabreak applet (part of the budgie-extras package) stores temporary data used between application components in a system location that is accessible to any user with local access to the host. The data file path is easily guessable, allowing an attacker to pre-create the file. This affects versions prior to 1.7.1 [1], [2].

Exploitation

An attacker with local access to the system can pre-create the temporary data file with arbitrary string content or a FIFO (named pipe). If the file is pre-created, the Takeabreak applet will read the attacker-controlled data instead of the intended data, displaying false information to the user. Placing a FIFO can cause the applet to hang or crash, leading to a denial of service. The applet runs in the same thread as the Budgie panel, so crashing the applet can crash the entire panel [2].

Impact

Successful exploitation allows a local attacker to either inject false information (e.g., display an incorrect "next time" message) or cause a denial of service by crashing the Budgie panel. No elevated privileges are required beyond local access [1], [2].

Mitigation

The vulnerability is fixed in budgie-extras version 1.7.1, released on 14 December 2023 [1], [2]. As a workaround, if only one user account exists on the system and physical access to the host is limited, the risk is mitigated. No known exploits in the wild or KEV listing have been reported.