A local privilege escalation vulnerability, labeled CVE-2023-32184, has been discovered in openSUSE Welcome, a small Qt program that is autostarted the first time a user performs a graphical login. The vulnerability exists in the component of openSUSE-welcome that allows users to select between different XFCE desktop layout presets.
At its core, openSUSE-welcome is a quaint Qt program designed to offer users a warm reception the first time they log in graphically. Its noble purpose? To showcase documentation and various communication resources tailored for the openSUSE distribution.
However, the uniqueness of this program lies in its behavior within an XFCE desktop environment. When it detects this environment (determined by the $XDG_CURRENT_DESKTOP environment variable being set to xfce), a “customise” button materializes. This button grants users the privilege to toggle between different XFCE desktop layout presets.
An attacker who can exploit the CVE-2023-32184 vulnerability could execute code in the context of the user that selects a different XFCE desktop layout using the openSUSE-welcome dialog. This could allow the attacker to gain full control of the victim’s system.
All currently maintained versions of openSUSE have been affected by this issue, but have received updates in the meantime. OpenSUSE releases dating back to at least openSUSE Leap 15.2 are also affected.
The openSUSE team wasted no time. A bugfix was swiftly introduced. Through commit 3c344ad7, the PanelLayouter class underwent a transformation. Instead of its former behavior, the input tarball, a Qt resource file, is now diligently written to a securely crafted QTemporaryFile. To further bolster security, the embedded Python script has been extricated and positioned as a dedicated script on the filesystem.
For users of openSUSE Tumbleweed and openSUSE Leap 15.4 / 15.5, updates containing this crucial bugfix for the openSUSE-welcome package are readily available.
