Debian Bug report logs -
#903201
cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
:
Bug#903201
; Package src:cinnamon
.
(Sat, 07 Jul 2018 15:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
.
(Sat, 07 Jul 2018 15:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cinnamon
Version: 3.2.7-4
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/linuxmint/Cinnamon/pull/7683
Hi,
The following vulnerability was published for cinnamon.
CVE-2018-13054[0]:
| An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The
| cinnamon-settings-users.py GUI runs as root and allows configuration of
| (for example) other users' icon files in
| _on_face_browse_menuitem_activated and _on_face_menuitem_activated.
| These icon files are written to the respective user's $HOME/.face
| location. If an unprivileged user prepares a symlink pointing to an
| arbitrary location, then this location will be overwritten with the
| icon content.
It requires admin intervention though, but still filling it as RC
severity.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-13054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054
[1] https://github.com/linuxmint/Cinnamon/pull/7683
[2] https://bugzilla.suse.com/show_bug.cgi?id=1083067
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 12 Jul 2018 17:15:13 GMT) (full text, mbox, link).
Marked as fixed in versions cinnamon/3.8.8-1.
Request was from Fabio Fantoni <fantonifabio@tiscali.it>
to control@bugs.debian.org
.
(Mon, 13 Aug 2018 11:33:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
:
Bug#903201
; Package src:cinnamon
.
(Tue, 15 Jan 2019 01:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Andres Salomon <dilinger@queued.net>
:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
.
(Tue, 15 Jan 2019 01:48:04 GMT) (full text, mbox, link).
Message #14 received at 903201@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Is there a reason why this hasn't been fixed in stretch yet? The
upstream commit is here:
https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5
https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5.patch
It applies to the version in stretch, and I've tested it. Here's the
before:
dilinger@e7470:~$ ls -l .face
-rw-r--r-- 1 root root 9379 Jan 14 17:14 .face
After:
dilinger@e7470:~$ ls -lh .face
-rw-r--r-- 1 dilinger dilinger 2.6K Jan 14 17:19 .face
There is, however, a problem where the root-owned .face cannot be
overwritten once the
new code drops privileges:
Traceback (most recent call last):
File
"/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py",
line 709, in _on_face_menuitem_activated
shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
File "/usr/lib/python2.7/shutil.py", line 119, in copy
copyfile(src, dst)
File "/usr/lib/python2.7/shutil.py", line 83, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/home/dilinger/.face'
It's not a critical bug (cinnamon-settings-users continues running), it
just can't update
the file. That needs to be fixed upstream if it's not already, by
changing ownership or
deleting the old file before dropping privileges. I've attached a
patch that deletes the
old file.
Thanks,
Andres
[Message part 2 (text/html, inline)]
[csu.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
:
Bug#903201
; Package src:cinnamon
.
(Tue, 15 Jan 2019 02:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andres Salomon <dilinger@queued.net>
:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
.
(Tue, 15 Jan 2019 02:51:02 GMT) (full text, mbox, link).
Message #19 received at 903201@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jan 14, 2019 at 5:39 PM, Andres Salomon <dilinger@queued.net>
wrote
>
> It's not a critical bug (cinnamon-settings-users continues running),
> it just can't update
> the file. That needs to be fixed upstream if it's not already, by
> changing ownership or
> deleting the old file before dropping privileges. I've attached a
> patch that deletes the
> old file.
I realized that os.remove throws an exception if the file isn't there,
which isn't what we
want. Here's an updated patch. It works with .face owned by root,
owned by the proper
user, or when it doesn't exist at all.
[Message part 2 (text/html, inline)]
[csu2.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
:
Bug#903201
; Package src:cinnamon
.
(Sun, 27 Jan 2019 13:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
.
(Sun, 27 Jan 2019 13:09:05 GMT) (full text, mbox, link).
Message #24 received at 903201@bugs.debian.org (full text, mbox, reply):
Hi Cinnamon Team,
Can you adress this issue via an upcoming point release?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.