| Summary: | cinnamon new security issue CVE-2018-13054 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, marja11, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | cinnamon-3.2.8-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-07-03 14:01:33 CEST
David Walser
2018-07-03 14:01:46 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. CC:
(none) =>
marja11 Fedora has issued an advisory for this on July 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/ openSUSE has issued advisories for this on July 28: https://lists.opensuse.org/opensuse-updates/2018-07/msg00079.html https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html Cauldron has since been updated to 4.0.9 and this issue was fixed in 3.8.7. Patched package uploaded for Mageia 6. Advisory: ======================== Updated cinnamon packages fix security vulnerability: A flaw was found in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content (CVE-2018-13054). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/ https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html ======================== Updated packages in core/updates_testing: ======================== cinnamon-3.2.8-4.1.mga6 cinnamon-devel-doc-3.2.8-4.1.mga6 from cinnamon-3.2.8-4.1.mga6.src.rpm Whiteboard:
MGA6TOO =>
(none) Mageia6, x86_64
Ran this update from Mate with Cinnamon desktop installed.
$ cd
$ ls .face
Nothing there for Cinnamon.
CVE-2018-13054
Logged in as su.
# cinnamon-settings-users
Clicked on the user's icon and selected an alternative and exited.
$ file .face
.face: JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 96x96, frames 3
Ran cinnamon-settings-users as root again and successfully changed the .face icon.
Updated the cinnamon packages and tried to change the user's icon again.
# cinnamon-settings-users
File "/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", line 709, in _on_face_menuitem_activated
shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
File "/usr/lib64/python2.7/shutil.py", line 133, in copy
copyfile(src, dst)
File "/usr/lib64/python2.7/shutil.py", line 97, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/home/lcl/.face'
So the patch works.CC:
(none) =>
tarazed25
Len Lawrence
2019-02-08 09:00:26 CET
Keywords:
(none) =>
validated_update
Dave Hodgins
2019-02-13 03:39:09 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0063.html Resolution:
(none) =>
FIXED |