An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content. Gentoo Security Scout Florian Schuhmacher
Looks like the fix was in-tree by upstream version 4.2.0: https://github.com/linuxmint/cinnamon/commit/85b56bb4970ad9b3ab9754f41b08f35e15909b04 We're at 4.4.8, so I guess we're good here? Tree is clean, if so: commit 397183c7b99af3ee77204fa58d22a70d7b7e8ff6 Author: Matt Turner <mattst88@gentoo.org> Date: Sun May 31 11:45:11 2020 -0700 gnome-extra/cinnamon: Drop old versions Signed-off-by: Matt Turner <mattst88@gentoo.org> delete mode 100644 gnome-extra/cinnamon/cinnamon-4.0.3-r2.ebuild delete mode 100644 gnome-extra/cinnamon/files/cinnamon-4.0-fix-pillow-settings.patch
Yeah, Bug 704532 bumped cinnamon to 4.4 and the vulnerable versions were removed by Bug 720190. Though it looks like the 4.2.0 change simply fixed the ability to edit the .face file which was broken by the original security fix.
Actually, the merged commit at URL is in 3.8.7 and the first version in tree appears to be 3.8.8. Earlier versions have been cleaned up for a long time.
GLSA vote: no. Closing.