RedHat has issued an advisory today (April 10): https://access.redhat.com/errata/RHSA-2018:0842 I'm not sure if the issue has been fixed upstream yet, but we can check RedHat's changes against our package: https://git.centos.org/commit/rpms!xdg-user-dirs.git/c7 Mageia 5 and Mageia 6 may also be affected.
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Based on my reading Cauldron is not affected.
Version: Cauldron => 6
And neither is mga6 .
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
While we do have the .desktop file that does the autostart the right way, we also have the xinit.d script that RedHat removed, so it looks to me like we are affected.
Version: 6 => CauldronResolution: FIXED => (none)Status: RESOLVED => REOPENEDWhiteboard: (none) => MGA6TOO
Fix submitted to cauldron.
(In reply to Shlomi Fish from comment #5) > Fix submitted to cauldron. and to mga6 updates-testing.
Advisory: ======================== Updated xdg-user-dirs package fix security vulnerability: Xsession creation of XDG user directories does not honor system umask policy (CVE-2017-15131). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15131 https://access.redhat.com/errata/RHSA-2018:0842 ======================== Updated packages in core/updates_testing: ======================== xdg-user-dirs-0.15-7.1.mga6 from xdg-user-dirs-0.15-7.1.mga6.src.rpm
CC: (none) => shlomifWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: shlomif => qa-bugs
MGA5-32 on Dell Latitude D600 MATE No installation issues. $ xdg-user-dir /home/<user>/ and $ xdg-user-dir DOCUMENTS /home/<user>/Documenten Seems OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Mistake: test was on MGA6-32!!!!
Testing M6/64 https://bugzilla.redhat.com/show_bug.cgi?id=1412762#c0 gives a good description of the fault, and how to test it: 1. Change umask for normal users from the default (002) to 007 in /etc/profile. 2. Create a new, normal user. 3. Graphically login as this new user. 4. Run "stat -c %a Desktop" in a shell. Actual results: 755 Expected results: 750 BEFORE update: xdg-user-dirs-0.15-7.mga6 umask in /etc/profiles is 022 $ stat -c %a Desktop 755 [wrong] Change umask in /etc/profile to 027 UPDATE to: xdg-user-dirs-0.15-7.1.mga6 Logout of graphical desktop.
M6/64 continued Well, all that was a waste of time. I could not get any result from graphically logging into a newly created user (*after* modifying umask in /etc/profile) other than: $ stat -c %a Desktop 755 whatever the /etc/profile umask value was when creating that user: 027 007. I used MCC-System-User management to create & delete the test user. Reverted the umask value to 022. So back to Herman: commands like $ xdg-user-dir DESKTOP /home/lewis/Desktop gave the right result, as they had done before the update. Say it is OK.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0215.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED