Bug 23272 - cinnamon new security issue CVE-2018-13054
Summary: cinnamon new security issue CVE-2018-13054
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-03 14:01 CEST by David Walser
Modified: 2019-02-13 12:10 CET (History)
4 users (show)

See Also:
Source RPM: cinnamon-3.2.8-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-03 14:01:33 CEST
A security issue in cinnamon has been announced on July 2:
http://openwall.com/lists/oss-security/2018/07/02/5

The original message in the thread links to a pull request with a fix:
http://openwall.com/lists/oss-security/2018/07/02/3

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-03 14:01:46 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-04 12:33:28 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => joequant

Comment 2 David Walser 2018-07-16 21:30:07 CEST
Fedora has issued an advisory for this on July 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/
Comment 3 David Walser 2018-08-02 17:06:57 CEST
openSUSE has issued advisories for this on July 28:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00079.html
https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html
Comment 4 David Walser 2019-02-03 01:55:14 CET
Cauldron has since been updated to 4.0.9 and this issue was fixed in 3.8.7.

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated cinnamon packages fix security vulnerability:

A flaw was found in Cinnamon 1.9.2 through 3.8.6. The
cinnamon-settings-users.py GUI runs as root and allows configuration of (for
example) other users' icon files in _on_face_browse_menuitem_activated and
_on_face_menuitem_activated. These icon files are written to the respective
user's $HOME/.face location. If an unprivileged user prepares a symlink
pointing to an arbitrary location, then this location will be overwritten with
the icon content (CVE-2018-13054).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/
https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html
========================

Updated packages in core/updates_testing:
========================
cinnamon-3.2.8-4.1.mga6
cinnamon-devel-doc-3.2.8-4.1.mga6

from cinnamon-3.2.8-4.1.mga6.src.rpm

Source RPM: cinnamon-3.8.6-1.mga7.src.rpm => cinnamon-3.2.8-4.mga6.src.rpm
Whiteboard: MGA6TOO => (none)
Assignee: joequant => qa-bugs
Version: Cauldron => 6

Comment 5 Len Lawrence 2019-02-03 18:29:58 CET
Mageia6, x86_64

Ran this update from Mate with Cinnamon desktop installed.
$ cd
$ ls .face
Nothing there for Cinnamon.

CVE-2018-13054

Logged in as su.
# cinnamon-settings-users
Clicked on the user's icon and selected an alternative and exited.

$ file .face
.face: JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 96x96, frames 3

Ran cinnamon-settings-users as root again and successfully changed the .face icon.

Updated the cinnamon packages and tried to change the user's icon again.
# cinnamon-settings-users
  File "/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", line 709, in _on_face_menuitem_activated
    shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
  File "/usr/lib64/python2.7/shutil.py", line 133, in copy
    copyfile(src, dst)
  File "/usr/lib64/python2.7/shutil.py", line 97, in copyfile
    with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/home/lcl/.face'

So the patch works.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2019-02-08 09:00:26 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 03:39:09 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2019-02-13 12:10:22 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0063.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.