Bug 22889 - xdg-user-dirs new security issue CVE-2017-15131
Summary: xdg-user-dirs new security issue CVE-2017-15131
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-04-10 18:23 CEST by David Walser
Modified: 2018-04-22 22:36 CEST (History)
4 users (show)

See Also:
Source RPM: xdg-user-dirs-0.17-1.mga7.src.rpm
Status comment:


Description David Walser 2018-04-10 18:23:04 CEST
RedHat has issued an advisory today (April 10):

I'm not sure if the issue has been fixed upstream yet, but we can check RedHat's changes against our package:

Mageia 5 and Mageia 6 may also be affected.
Comment 1 Marja Van Waes 2018-04-10 18:41:44 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-04-13 17:41:54 CEST
Based on my reading Cauldron is not affected.

Version: Cauldron => 6

Comment 3 Shlomi Fish 2018-04-13 17:43:51 CEST
And neither is mga6 .

Resolution: (none) => FIXED

Comment 4 David Walser 2018-04-13 17:48:26 CEST
While we do have the .desktop file that does the autostart the right way, we also have the xinit.d script that RedHat removed, so it looks to me like we are affected.

Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron
Resolution: FIXED => (none)

Comment 5 Shlomi Fish 2018-04-13 18:36:23 CEST
Fix submitted to cauldron.
Comment 6 Shlomi Fish 2018-04-13 18:43:02 CEST
(In reply to Shlomi Fish from comment #5)
> Fix submitted to cauldron.

and to mga6 updates-testing.
Comment 7 David Walser 2018-04-13 18:46:31 CEST

Updated xdg-user-dirs package fix security vulnerability:

Xsession creation of XDG user directories does not honor system umask policy


Updated packages in core/updates_testing:

from xdg-user-dirs-0.15-7.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Version: Cauldron => 6

Comment 8 Herman Viaene 2018-04-16 14:58:37 CEST
MGA5-32 on Dell Latitude D600 MATE
No installation issues.
$ xdg-user-dir
$ xdg-user-dir DOCUMENTS
Seems OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 9 Herman Viaene 2018-04-16 15:12:44 CEST
Mistake: test was on MGA6-32!!!!
Comment 10 Lewis Smith 2018-04-22 21:44:18 CEST
Testing M6/64
gives a good description of the fault, and how to test it:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.
Actual results:
Expected results:

BEFORE update: xdg-user-dirs-0.15-7.mga6
umask in /etc/profiles is 022
 $ stat -c %a Desktop
 755                 [wrong]
Change umask in /etc/profile to 027
UPDATE to: xdg-user-dirs-0.15-7.1.mga6
Logout of graphical desktop.
Comment 11 Lewis Smith 2018-04-22 22:36:20 CEST
M6/64 continued

Well, all that was a waste of time. I could not get any result from graphically logging into a newly created user (*after* modifying umask in /etc/profile) other than:
 $ stat -c %a Desktop
whatever the /etc/profile umask value was when creating that user: 027 007.
I used MCC-System-User management to create & delete the test user. Reverted the umask value to 022.

So back to Herman: commands like
 $ xdg-user-dir DESKTOP
gave the right result, as they had done before the update. Say it is OK.

CC: (none) => sysadmin-bugs
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update

Note You need to log in before you can comment on or make changes to this bug.