| Summary: | xdg-user-dirs new security issue CVE-2017-15131 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, marja11, shlomif, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | xdg-user-dirs-0.17-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-04-10 18:23:04 CEST
Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Based on my reading Cauldron is not affected. Version:
Cauldron =>
6 And neither is mga6 . Resolution:
(none) =>
FIXED While we do have the .desktop file that does the autostart the right way, we also have the xinit.d script that RedHat removed, so it looks to me like we are affected. Version:
6 =>
Cauldron Fix submitted to cauldron. (In reply to Shlomi Fish from comment #5) > Fix submitted to cauldron. and to mga6 updates-testing. Advisory: ======================== Updated xdg-user-dirs package fix security vulnerability: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15131 https://access.redhat.com/errata/RHSA-2018:0842 ======================== Updated packages in core/updates_testing: ======================== xdg-user-dirs-0.15-7.1.mga6 from xdg-user-dirs-0.15-7.1.mga6.src.rpm CC:
(none) =>
shlomif MGA5-32 on Dell Latitude D600 MATE No installation issues. $ xdg-user-dir /home/<user>/ and $ xdg-user-dir DOCUMENTS /home/<user>/Documenten Seems OK. CC:
(none) =>
herman.viaene Mistake: test was on MGA6-32!!!! Testing M6/64 https://bugzilla.redhat.com/show_bug.cgi?id=1412762#c0 gives a good description of the fault, and how to test it: 1. Change umask for normal users from the default (002) to 007 in /etc/profile. 2. Create a new, normal user. 3. Graphically login as this new user. 4. Run "stat -c %a Desktop" in a shell. Actual results: 755 Expected results: 750 BEFORE update: xdg-user-dirs-0.15-7.mga6 umask in /etc/profiles is 022 $ stat -c %a Desktop 755 [wrong] Change umask in /etc/profile to 027 UPDATE to: xdg-user-dirs-0.15-7.1.mga6 Logout of graphical desktop. M6/64 continued Well, all that was a waste of time. I could not get any result from graphically logging into a newly created user (*after* modifying umask in /etc/profile) other than: $ stat -c %a Desktop 755 whatever the /etc/profile umask value was when creating that user: 027 007. I used MCC-System-User management to create & delete the test user. Reverted the umask value to 022. So back to Herman: commands like $ xdg-user-dir DESKTOP /home/lewis/Desktop gave the right result, as they had done before the update. Say it is OK. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0215.html Resolution:
(none) =>
FIXED |