| Summary: | <gnome-extra/cinnamon-3.8.8: Symlink attack Vulnerability | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Florian Schuhmacher <mynt1aa> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ajak, cinnamon+disabled, sparky |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/linuxmint/Cinnamon/pull/7683 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 661040, 704532 | ||
| Bug Blocks: | |||
|
Description
Florian Schuhmacher
2018-07-03 05:14:17 UTC
Looks like the fix was in-tree by upstream version 4.2.0: https://github.com/linuxmint/cinnamon/commit/85b56bb4970ad9b3ab9754f41b08f35e15909b04 We're at 4.4.8, so I guess we're good here? Tree is clean, if so: commit 397183c7b99af3ee77204fa58d22a70d7b7e8ff6 Author: Matt Turner <mattst88@gentoo.org> Date: Sun May 31 11:45:11 2020 -0700 gnome-extra/cinnamon: Drop old versions Signed-off-by: Matt Turner <mattst88@gentoo.org> delete mode 100644 gnome-extra/cinnamon/cinnamon-4.0.3-r2.ebuild delete mode 100644 gnome-extra/cinnamon/files/cinnamon-4.0-fix-pillow-settings.patch Yeah, Bug 704532 bumped cinnamon to 4.4 and the vulnerable versions were removed by Bug 720190. Though it looks like the 4.2.0 change simply fixed the ability to edit the .face file which was broken by the original security fix. Actually, the merged commit at URL is in 3.8.7 and the first version in tree appears to be 3.8.8. Earlier versions have been cleaned up for a long time. GLSA vote: no. Closing. |
