A security issue in cinnamon has been announced on July 2: http://openwall.com/lists/oss-security/2018/07/02/5 The original message in the thread links to a pull request with a fix: http://openwall.com/lists/oss-security/2018/07/02/3 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => joequant
Fedora has issued an advisory for this on July 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/
openSUSE has issued advisories for this on July 28: https://lists.opensuse.org/opensuse-updates/2018-07/msg00079.html https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html
Cauldron has since been updated to 4.0.9 and this issue was fixed in 3.8.7. Patched package uploaded for Mageia 6. Advisory: ======================== Updated cinnamon packages fix security vulnerability: A flaw was found in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content (CVE-2018-13054). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XSADMZDE26IBCLBJOASR5ZX4E2OKKPVD/ https://lists.opensuse.org/opensuse-updates/2018-07/msg00083.html ======================== Updated packages in core/updates_testing: ======================== cinnamon-3.2.8-4.1.mga6 cinnamon-devel-doc-3.2.8-4.1.mga6 from cinnamon-3.2.8-4.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: joequant => qa-bugsSource RPM: cinnamon-3.8.6-1.mga7.src.rpm => cinnamon-3.2.8-4.mga6.src.rpmVersion: Cauldron => 6
Mageia6, x86_64 Ran this update from Mate with Cinnamon desktop installed. $ cd $ ls .face Nothing there for Cinnamon. CVE-2018-13054 Logged in as su. # cinnamon-settings-users Clicked on the user's icon and selected an alternative and exited. $ file .face .face: JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 96x96, frames 3 Ran cinnamon-settings-users as root again and successfully changed the .face icon. Updated the cinnamon packages and tried to change the user's icon again. # cinnamon-settings-users File "/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", line 709, in _on_face_menuitem_activated shutil.copy(path, os.path.join(user.get_home_dir(), ".face")) File "/usr/lib64/python2.7/shutil.py", line 133, in copy copyfile(src, dst) File "/usr/lib64/python2.7/shutil.py", line 97, in copyfile with open(dst, 'wb') as fdst: IOError: [Errno 13] Permission denied: '/home/lcl/.face' So the patch works.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0063.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED