CVE-2023-49345: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2023-49345) affects the Budgie Extras Takeabreak applet, discovered on December 14, 2023. The issue involves temporary data passed between application components that could be viewed or manipulated. The vulnerability affects Budgie Extras versions from 1.4.0 up to (excluding) 1.7.1 (NVD, Ubuntu Security).

The vulnerability stems from the use of predictable temporary file paths in the /tmp directory, specifically the /tmp/nextbreak_ file. The file is used to store and display the next break time in the GUI. The application reads this file, splits the content on '.' character, and uses the first element as the displayed time. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) from NIST, with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Openwall).

The vulnerability allows local attackers to manipulate the data displayed by the application, potentially presenting false information to users. Additionally, attackers can cause denial-of-service conditions by placing a FIFO (named pipe) at the predictable file location. Since the applet runs in the same thread as the budgie panel, crashing the applet can result in crashing the entire panel (GitHub Advisory).

The vulnerability has been fixed in version 1.7.1 of Budgie Extras, where the public /tmp directory has been replaced by the user's private XDG_RUNTIME_DIR, with a fallback to the user's HOME directory. As a temporary workaround, the issue can be mitigated by limiting the system to a single user account and restricting physical access to other users (GitHub Advisory, Ubuntu Security).