CVE-2023-49347: 
Linux Debian vulnerability analysis and mitigation

Budgie Extras Windows Previews contains a vulnerability (CVE-2023-49347) discovered in December 2023 that affects versions from 1.4.0 up to (excluding) 1.7.1. The vulnerability involves temporary data passed between application components being stored in a location accessible to any user with local system access. This security issue was patched in version 1.7.1 (GHSA Advisory, Ubuntu Notice).

The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) according to NVD assessment, with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper handling of temporary file paths where data is stored in publicly accessible locations. The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-377 (Insecure Temporary File) (NVD).

The vulnerability allows attackers with local system access to read private information from windows, present false information to users, or deny access to the application. The images stored in temporary folders can be manipulated, and attackers can place additional PNG image files to confuse the victim's GUI experience. Without Linux kernel's symlink protection, attackers can place symlinks to cause programs to operate in arbitrary directory locations (GHSA Advisory).

The vulnerability has been fixed in version 1.7.1 of Budgie Extras. As a workaround before updating, users can mitigate the issue by limiting the system to a single user account and restricting physical access to other users. The fix involves replacing the public /tmp directory with the user's private XDG_RUNTIME_DIR, with a fallback to the user's HOME directory (GHSA Advisory, Ubuntu Notice).