Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI

To: 903201@bugs.debian.org
Subject: Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
From: Andres Salomon <dilinger@queued.net>
Date: Mon, 14 Jan 2019 17:39:48 -0800
Message-id: <[🔎] 1547516388.2940.6@mail.queued.net>
Reply-to: Andres Salomon <dilinger@queued.net>, 903201@bugs.debian.org
References: <153097536633.31435.14883302343563143726.reportbug@eldamar.local>

Hi,

Is there a reason why this hasn't been fixed in stretch yet? The upstream commit is here:

https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5

https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5.patch

It applies to the version in stretch, and I've tested it. Here's the before:

dilinger@e7470:~$ ls -l .face

-rw-r--r-- 1 root root 9379 Jan 14 17:14 .face

After:

dilinger@e7470:~$ ls -lh .face

-rw-r--r-- 1 dilinger dilinger 2.6K Jan 14 17:19 .face

There is, however, a problem where the root-owned .face cannot be overwritten once the

new code drops privileges:

Traceback (most recent call last):

File "/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py", line 709, in _on_face_menuitem_activated

shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))

File "/usr/lib/python2.7/shutil.py", line 119, in copy

copyfile(src, dst)

File "/usr/lib/python2.7/shutil.py", line 83, in copyfile

with open(dst, 'wb') as fdst:

IOError: [Errno 13] Permission denied: '/home/dilinger/.face'

It's not a critical bug (cinnamon-settings-users continues running), it just can't update

the file. That needs to be fixed upstream if it's not already, by changing ownership or

deleting the old file before dropping privileges. I've attached a patch that deletes the

old file.

Thanks,

Andres

--- /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py.orig	2019-01-14 17:24:37.799003654 -0800
+++ /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py	2019-01-14 17:38:06.248595816 -0800
@@ -675,6 +675,7 @@
                 image.thumbnail((96, 96), Image.ANTIALIAS)
                 face_path = os.path.join(user.get_home_dir(), ".face")
                 try:
+                    os.remove(face_path)
                     priv_helper.drop_privs(user)
                     image.save(face_path, "png")
                 finally:
@@ -704,9 +705,11 @@
                 user = model[treeiter][INDEX_USER_OBJECT]
                 user.set_icon_file(path)
                 self.face_image.set_from_file(path)
+                face_path = os.path.join(user.get_home_dir(), ".face")
                 try:
+                    os.remove(face_path)
                     priv_helper.drop_privs(user)
-                    shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
+                    shutil.copy(path, face_path)
                 finally:
                     priv_helper.restore_privs()
                 model.set_value(treeiter, INDEX_USER_PICTURE, GdkPixbuf.Pixbuf.new_from_file_at_size(path, 48, 48))

Reply to:

Follow-Ups:
- Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#918921: Please make Atril the default viewer for PDF-files
Next by Date: Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
Previous by thread: Bug#918921: Please make Atril the default viewer for PDF-files
Next by thread: Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
Index(es):
- Date
- Thread