Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-13054

Source

Debian Bug report logs - #903201
cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

Package: src:cinnamon; Maintainer for src:cinnamon is Debian Cinnamon Team <debian-cinnamon@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 7 Jul 2018 15:00:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version cinnamon/3.2.7-4

Fixed in version cinnamon/3.8.8-1

Forwarded to https://github.com/linuxmint/Cinnamon/pull/7683

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>:
Bug#903201; Package src:cinnamon. (Sat, 07 Jul 2018 15:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>. (Sat, 07 Jul 2018 15:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: cinnamon
Version: 3.2.7-4
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/linuxmint/Cinnamon/pull/7683

Hi,

The following vulnerability was published for cinnamon.

CVE-2018-13054[0]:
| An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The
| cinnamon-settings-users.py GUI runs as root and allows configuration of
| (for example) other users' icon files in
| _on_face_browse_menuitem_activated and _on_face_menuitem_activated.
| These icon files are written to the respective user's $HOME/.face
| location. If an unprivileged user prepares a symlink pointing to an
| arbitrary location, then this location will be overwritten with the
| icon content.

It requires admin intervention though, but still filling it as RC
severity.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13054
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054
[1] https://github.com/linuxmint/Cinnamon/pull/7683
[2] https://bugzilla.suse.com/show_bug.cgi?id=1083067

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 12 Jul 2018 17:15:13 GMT) (full text, mbox, link).

Marked as fixed in versions cinnamon/3.8.8-1. Request was from Fabio Fantoni <fantonifabio@tiscali.it> to control@bugs.debian.org. (Mon, 13 Aug 2018 11:33:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>:
Bug#903201; Package src:cinnamon. (Tue, 15 Jan 2019 01:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>. (Tue, 15 Jan 2019 01:48:04 GMT) (full text, mbox, link).

Message #14 received at 903201@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Is there a reason why this hasn't been fixed in stretch yet?  The 
upstream commit is here:

https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5

https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5.patch

It applies to the version in stretch, and I've tested it.  Here's the 
before:
dilinger@e7470:~$ ls -l .face
-rw-r--r-- 1 root root 9379 Jan 14 17:14 .face

After:
dilinger@e7470:~$ ls -lh .face
-rw-r--r-- 1 dilinger dilinger 2.6K Jan 14 17:19 .face

There is, however, a problem where the root-owned .face cannot be 
overwritten once the
new code drops privileges:

Traceback (most recent call last):
 File 
"/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", 
line 709, in _on_face_menuitem_activated
   shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
 File "/usr/lib/python2.7/shutil.py", line 119, in copy
   copyfile(src, dst)
 File "/usr/lib/python2.7/shutil.py", line 83, in copyfile
   with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/home/dilinger/.face'

It's not a critical bug (cinnamon-settings-users continues running), it 
just can't update
the file.  That needs to be fixed upstream if it's not already, by 
changing ownership or
deleting the old file before dropping privileges.  I've attached a 
patch that deletes the
old file.

Thanks,
Andres

[Message part 2 (text/html, inline)]

[csu.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>:
Bug#903201; Package src:cinnamon. (Tue, 15 Jan 2019 02:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to Andres Salomon <dilinger@queued.net>:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>. (Tue, 15 Jan 2019 02:51:02 GMT) (full text, mbox, link).

Message #19 received at 903201@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Jan 14, 2019 at 5:39 PM, Andres Salomon <dilinger@queued.net> 
wrote
> 
> It's not a critical bug (cinnamon-settings-users continues running), 
> it just can't update
> the file.  That needs to be fixed upstream if it's not already, by 
> changing ownership or
> deleting the old file before dropping privileges.  I've attached a 
> patch that deletes the
> old file.

I realized that os.remove throws an exception if the file isn't there, 
which isn't what we
want. Here's an updated patch.  It works with .face owned by root, 
owned by the proper
user, or when it doesn't exist at all.

[Message part 2 (text/html, inline)]

[csu2.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>:
Bug#903201; Package src:cinnamon. (Sun, 27 Jan 2019 13:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>. (Sun, 27 Jan 2019 13:09:05 GMT) (full text, mbox, link).

Message #24 received at 903201@bugs.debian.org (full text, mbox, reply):

Hi Cinnamon Team,

Can you adress this issue via an upcoming point release?

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:42:28 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

Debian Bug report logs - #903201
cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

Vulmon Search

About

Products

Connect

cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

Debian Bug report logs - #903201 cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

Vulmon Search

About

Products

Connect

Debian Bug report logs - #903201
cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI