Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 659912 (CVE-2018-13054) - <gnome-extra/cinnamon-3.8.8: Symlink attack Vulnerability
Summary: <gnome-extra/cinnamon-3.8.8: Symlink attack Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2018-13054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/linuxmint/Cinnamon...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 661040 704532
Blocks:
  Show dependency tree
 
Reported: 2018-07-03 05:14 UTC by Florian Schuhmacher
Modified: 2021-07-06 00:08 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-07-03 05:14:17 UTC
An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 18:16:08 UTC
Looks like the fix was in-tree by upstream version 4.2.0: https://github.com/linuxmint/cinnamon/commit/85b56bb4970ad9b3ab9754f41b08f35e15909b04

We're at 4.4.8, so I guess we're good here? Tree is clean, if so:


commit 397183c7b99af3ee77204fa58d22a70d7b7e8ff6
Author: Matt Turner <mattst88@gentoo.org>
Date:   Sun May 31 11:45:11 2020 -0700

    gnome-extra/cinnamon: Drop old versions

    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 delete mode 100644 gnome-extra/cinnamon/cinnamon-4.0.3-r2.ebuild
 delete mode 100644 gnome-extra/cinnamon/files/cinnamon-4.0-fix-pillow-settings.patch
Comment 2 Matthew Turnbull 2020-07-29 13:06:12 UTC
Yeah, Bug 704532 bumped cinnamon to 4.4 and the vulnerable versions were removed by Bug 720190.

Though it looks like the 4.2.0 change simply fixed the ability to edit the .face file which was broken by the original security fix.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 13:05:14 UTC
Actually, the merged commit at URL is in 3.8.7 and the first version in tree appears to be 3.8.8. Earlier versions have been cleaned up for a long time.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-06 00:08:01 UTC
GLSA vote: no. Closing.