From 5099c9152be34d4f74886288afb33e9da82b9799 Mon Sep 17 00:00:00 2001
From: Nedko Arnaudov <nedko@nedk.org>
Date: Sun, 7 Jan 2024 16:52:58 +0200
Subject: [PATCH] Patch CVE-2023-43782: Use of Fixed Temporary File Path in
 /tmp/.cadence-aloop-daemon.x

Apply SuSE fix for CVE-2023-43782 (by Matthias Gerstner)

0001-cadence_aloop_daemon-place-lockfile-into-non-public-.patch

https://bugzilla.suse.com/show_bug.cgi?id=1213983
---
 src/cadence.py              | 3 ++-
 src/cadence_aloop_daemon.py | 5 +++--
 src/shared.py               | 8 ++++++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/cadence.py b/src/cadence.py
index 87a14a8..714e2d6 100755
--- a/src/cadence.py
+++ b/src/cadence.py
@@ -38,6 +38,7 @@ import ui_cadence_tb_alsa
 import ui_cadence_tb_a2j
 import ui_cadence_tb_pa
 import ui_cadence_rwait
+from shared import getDaemonLockfile
 from shared_cadence import *
 from shared_canvasjack import *
 from shared_settings import *
@@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW):
 
     @pyqtSlot()
     def slot_AlsaBridgeStop(self):
-        checkFile = "/tmp/.cadence-aloop-daemon.x"
+        checkFile = self.getDaemonLockfile("cadence-aloop-daemon")
         if os.path.exists(checkFile):
             os.remove(checkFile)
 
diff --git a/src/cadence_aloop_daemon.py b/src/cadence_aloop_daemon.py
index c8408ef..b53f64d 100755
--- a/src/cadence_aloop_daemon.py
+++ b/src/cadence_aloop_daemon.py
@@ -33,6 +33,7 @@ else:
 # Imports (Custom Stuff)
 
 import jacklib
+from shared import getDaemonLockfile
 
 # --------------------------------------------------
 # Auto re-activate if on good kernel
@@ -50,7 +51,7 @@ doRunNow  = True
 useZita   = False
 procIn    = QProcess()
 procOut   = QProcess()
-checkFile = "/tmp/.cadence-aloop-daemon.x"
+checkFile = getDaemonLockfile("cadence-aloop-daemon")
 
 # --------------------------------------------------
 # Global JACK variables
@@ -161,7 +162,7 @@ if __name__ == '__main__':
     client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None)
 
     if not client:
-        print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it")
+        print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile))
         quit()
 
     if jacklib.JACK2:
diff --git a/src/shared.py b/src/shared.py
index 2df4d54..e65d292 100644
--- a/src/shared.py
+++ b/src/shared.py
@@ -312,3 +312,11 @@ def setIcons(self_, modes):
     if "misc" in modes:
         gGui.ui.act_quit.setIcon(getIcon("application-exit"))
         gGui.ui.act_configure.setIcon(getIcon("configure"))
+
+def getDaemonLockfile(base):
+    lockdir = os.environ.get("XDG_RUNTIME_DIR", None)
+    if not lockdir:
+        lockdir = os.path.expanduser("~")
+
+    return os.path.join(lockdir, "{}-lock".format(base))
+