Bug 18221

Summary: appstream-builder can overwrite user directories
Product: Mageia Reporter: JanKusanagi <jan-bugs>
Component: RPM PackagesAssignee: Olav Vitters <olav>
Status: RESOLVED OLD QA Contact:
Severity: critical    
Priority: Normal CC: marja11, olav, pkg-bugs
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: appstream-glib CVE:
Status comment:

Description JanKusanagi 2016-04-17 19:09:51 CEST 
Description of problem:

Running the 'appstream-builder' binary, part of the appstream-util package, creates several directories under the current directory. One of them, ./tmp/ will destroy an existing 'tmp' directory if you have it, with whatever contents it has.

This does not happen for the other directories (cache, logs) that this tool creates, but if you have something valueable under ~/tmp/ and run appstream-builder from ~, that will be gone, without any warning.

Not that I keep anything valuable in such a directory, but a running GNU Screen, for instance, does.

I'll set severity as 'Critical' since it can lead to data loss, even if not commonly, and not for many users.



Version-Release number of selected component (if applicable):

appstram-util-0.2.5-3.mga5
(appstream-builder does not provide a --version option)


How reproducible:

Every time I run the 'appstream-build' binary.


Steps to Reproduce:
1. Open a terminal, and to be safe, create a new directory and enter it.
2. Create a 'tmp' directory here, and create files or folders inside it.
3. Go back to the directory you originally created, an run 'appstream-builder'.
4. Check the contents of ./tmp/ and see that there's only a 'icons' directory.
Manuel Hiebel 2016-04-18 17:43:12 CEST

CC: (none) => olav

Comment 1 Marja Van Waes 2016-04-19 08:31:09 CEST 
Thanks for the bug report.

Assigning to maintainer.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => olav

Comment 2 Olav Vitters 2016-06-15 12:05:38 CEST 
Please report this upstream; there doesn't seem to be anything Mageia specific about this bugreport.
Comment 3 Marja Van Waes 2018-04-24 19:30:55 CEST 
(In reply to Olav Vitters from comment #2)
> Please report this upstream; there doesn't seem to be anything Mageia
> specific about this bugreport.

I don't see a link to an upstream bug report, so assume that wasn't done. Anyway, it is apparently something we can't fix and Mageia 5 has officially reached its End of Life on December 31st, 2017 https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/
It only continued to get important security updates since then, but non-security bugs have no chance of still getting fixed.

Closing

Status: NEW => RESOLVED
Resolution: (none) => OLD