CVE-2023-49343: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2023-49343) affects the Budgie Extras Dropby applet, discovered in December 2023. The issue involves temporary data passed between application components that could be viewed or manipulated due to insecure storage location. The vulnerability affects versions from 1.4.0 up to (excluding) 1.7.1 of the budgie-extras package (NVD, GitHub Advisory).

The vulnerability stems from the use of predictable paths in /tmp directory for storing temporary data. Specifically, the application uses paths like '/tmp/_keepdropbywin', '/tmp/_call_dropby', and '/tmp/_dropby_icon_copy' as trigger files for various operations. The issue received a CVSS v3.1 base score of 7.8 (HIGH) from NVD and 6.0 (MEDIUM) from Canonical Ltd., with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, OSS Security).

The vulnerability allows local attackers to potentially view or manipulate data passed between application components. Attackers can pre-create and control files to present false information to users or deny access to the application and panel. Since the applet runs in the same thread as the budgie panel, crashing the applet can potentially crash the entire panel (GitHub Advisory, OSS Security).

The vulnerability has been fixed in version 1.7.1 of budgie-extras. The fix involves replacing the public /tmp directory with the user's private XDG_RUNTIME_DIR, with a fallback to the user's HOME directory. As a temporary workaround, the issue can be mitigated by having only one user account on the system and limiting physical access to other users (GitHub Advisory, Ubuntu Security).