An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.
Gentoo Security Scout
Looks like the fix was in-tree by upstream version 4.2.0: https://github.com/linuxmint/cinnamon/commit/85b56bb4970ad9b3ab9754f41b08f35e15909b04
We're at 4.4.8, so I guess we're good here? Tree is clean, if so:
Author: Matt Turner <email@example.com>
Date: Sun May 31 11:45:11 2020 -0700
gnome-extra/cinnamon: Drop old versions
Signed-off-by: Matt Turner <firstname.lastname@example.org>
delete mode 100644 gnome-extra/cinnamon/cinnamon-4.0.3-r2.ebuild
delete mode 100644 gnome-extra/cinnamon/files/cinnamon-4.0-fix-pillow-settings.patch
Yeah, Bug 704532 bumped cinnamon to 4.4 and the vulnerable versions were removed by Bug 720190.
Though it looks like the 4.2.0 change simply fixed the ability to edit the .face file which was broken by the original security fix.