GNOME AccountsService does not properly validate the filepaths of user icon files in the user.c:user_change_icon_file_authorized_cb() function. An attacker could exploit this by providing a crafted path via D-Bus message and replacing it with a symlink. Third party applications that trust this path can potentially read from its location as root and try to interpret it as an image file. Upstream Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107085 Gentoo Security Scout Florian Schuhmacher
Created attachment 538680 [details] bumped ebuild: accountsservice-0.6.49 Note, that current accountsservice in the tree lags behind upstreams. For this reason the proposed patch doesn't apply cleanly. The ebuild can be bumped with only a simple modification, that the elogind patch is no longer needed.
Created attachment 538682 [details, diff] upstreams patch addressing the security issue Applies cleanly on the bumped version only.
CVE-2018-14036 (https://nvd.nist.gov/vuln/detail/CVE-2018-14036): Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=131c0448ac92a8571ccfff21de931777f9a1405c commit 131c0448ac92a8571ccfff21de931777f9a1405c Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-08-17 00:01:10 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-08-17 00:12:21 +0000 sys-apps/accountsservice: security bump to 0.6.50 Bug: https://bugs.gentoo.org/659916 Package-Manager: Portage-2.3.46, Repoman-2.3.10 sys-apps/accountsservice/Manifest | 1 + .../accountsservice/accountsservice-0.6.50.ebuild | 58 ++++++++++++++++++++++ 2 files changed, 59 insertions(+)
ppc stable
amd64 stable
ppc64 stable
arm stable
x86 stable
tree is clean
