Bug 22889 - xdg-user-dirs new security issue CVE-2017-15131
Summary: xdg-user-dirs new security issue CVE-2017-15131
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-10 18:23 CEST by David Walser
Modified: 2018-04-30 21:09 CEST (History)
4 users (show)

See Also:
Source RPM: xdg-user-dirs-0.17-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-10 18:23:04 CEST
RedHat has issued an advisory today (April 10):
https://access.redhat.com/errata/RHSA-2018:0842

I'm not sure if the issue has been fixed upstream yet, but we can check RedHat's changes against our package:
https://git.centos.org/commit/rpms!xdg-user-dirs.git/c7

Mageia 5 and Mageia 6 may also be affected.
Comment 1 Marja Van Waes 2018-04-10 18:41:44 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-04-13 17:41:54 CEST
Based on my reading Cauldron is not affected.

Version: Cauldron => 6

Comment 3 Shlomi Fish 2018-04-13 17:43:51 CEST
And neither is mga6 .

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 4 David Walser 2018-04-13 17:48:26 CEST
While we do have the .desktop file that does the autostart the right way, we also have the xinit.d script that RedHat removed, so it looks to me like we are affected.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

Comment 5 Shlomi Fish 2018-04-13 18:36:23 CEST
Fix submitted to cauldron.
Comment 6 Shlomi Fish 2018-04-13 18:43:02 CEST
(In reply to Shlomi Fish from comment #5)
> Fix submitted to cauldron.

and to mga6 updates-testing.
Comment 7 David Walser 2018-04-13 18:46:31 CEST
Advisory:
========================

Updated xdg-user-dirs package fix security vulnerability:

Xsession creation of XDG user directories does not honor system umask policy
(CVE-2017-15131).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15131
https://access.redhat.com/errata/RHSA-2018:0842
========================

Updated packages in core/updates_testing:
========================
xdg-user-dirs-0.15-7.1.mga6

from xdg-user-dirs-0.15-7.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Version: Cauldron => 6

Comment 8 Herman Viaene 2018-04-16 14:58:37 CEST
MGA5-32 on Dell Latitude D600 MATE
No installation issues.
$ xdg-user-dir
/home/<user>/
and 
$ xdg-user-dir DOCUMENTS
/home/<user>/Documenten
Seems OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 9 Herman Viaene 2018-04-16 15:12:44 CEST
Mistake: test was on MGA6-32!!!!
Comment 10 Lewis Smith 2018-04-22 21:44:18 CEST
Testing M6/64
 https://bugzilla.redhat.com/show_bug.cgi?id=1412762#c0
gives a good description of the fault, and how to test it:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.
Actual results:
755
Expected results:
750

BEFORE update: xdg-user-dirs-0.15-7.mga6
umask in /etc/profiles is 022
 $ stat -c %a Desktop
 755                 [wrong]
Change umask in /etc/profile to 027
UPDATE to: xdg-user-dirs-0.15-7.1.mga6
Logout of graphical desktop.
Comment 11 Lewis Smith 2018-04-22 22:36:20 CEST
M6/64 continued

Well, all that was a waste of time. I could not get any result from graphically logging into a newly created user (*after* modifying umask in /etc/profile) other than:
 $ stat -c %a Desktop
 755
whatever the /etc/profile umask value was when creating that user: 027 007.
I used MCC-System-User management to create & delete the test user. Reverted the umask value to 022.

So back to Herman: commands like
 $ xdg-user-dir DESKTOP
 /home/lewis/Desktop
gave the right result, as they had done before the update. Say it is OK.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2018-04-30 21:09:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0215.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.