A security issue in cinnamon has been announced on July 2:
The original message in the thread links to a pull request with a fix:
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
Fedora has issued an advisory for this on July 8:
openSUSE has issued advisories for this on July 28:
Cauldron has since been updated to 4.0.9 and this issue was fixed in 3.8.7.
Patched package uploaded for Mageia 6.
Updated cinnamon packages fix security vulnerability:
A flaw was found in Cinnamon 1.9.2 through 3.8.6. The
cinnamon-settings-users.py GUI runs as root and allows configuration of (for
example) other users' icon files in _on_face_browse_menuitem_activated and
_on_face_menuitem_activated. These icon files are written to the respective
user's $HOME/.face location. If an unprivileged user prepares a symlink
pointing to an arbitrary location, then this location will be overwritten with
the icon content (CVE-2018-13054).
Updated packages in core/updates_testing:
Ran this update from Mate with Cinnamon desktop installed.
$ ls .face
Nothing there for Cinnamon.
Logged in as su.
Clicked on the user's icon and selected an alternative and exited.
$ file .face
.face: JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 96x96, frames 3
Ran cinnamon-settings-users as root again and successfully changed the .face icon.
Updated the cinnamon packages and tried to change the user's icon again.
File "/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", line 709, in _on_face_menuitem_activated
shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
File "/usr/lib64/python2.7/shutil.py", line 133, in copy
File "/usr/lib64/python2.7/shutil.py", line 97, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/home/lcl/.face'
So the patch works.
An update for this issue has been pushed to the Mageia Updates repository.