Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 659912 (CVE-2018-13054)

Summary: gnome-extra/cinnamon: Symlink attack Vulnerability
Product: Gentoo Security Reporter: Florian Schuhmacher <mynt1aa>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak, cinnamon+disabled, sparky
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [ebuild cve]
Package list:
Runtime testing required: ---
Bug Depends on: 661040, 704532    
Bug Blocks:    

Description Florian Schuhmacher 2018-07-03 05:14:17 UTC
An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 John Helmert III gentoo-dev Security 2020-07-24 18:16:08 UTC
Looks like the fix was in-tree by upstream version 4.2.0:

We're at 4.4.8, so I guess we're good here? Tree is clean, if so:

commit 397183c7b99af3ee77204fa58d22a70d7b7e8ff6
Author: Matt Turner <>
Date:   Sun May 31 11:45:11 2020 -0700

    gnome-extra/cinnamon: Drop old versions

    Signed-off-by: Matt Turner <>

 delete mode 100644 gnome-extra/cinnamon/cinnamon-4.0.3-r2.ebuild
 delete mode 100644 gnome-extra/cinnamon/files/cinnamon-4.0-fix-pillow-settings.patch
Comment 2 Matthew Turnbull 2020-07-29 13:06:12 UTC
Yeah, Bug 704532 bumped cinnamon to 4.4 and the vulnerable versions were removed by Bug 720190.

Though it looks like the 4.2.0 change simply fixed the ability to edit the .face file which was broken by the original security fix.