Bug#903201: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
On Mon, Jan 14, 2019 at 5:39 PM, Andres Salomon <dilinger@queued.net> wrote
It's not a critical bug (cinnamon-settings-users continues running), it just can't update
the file. That needs to be fixed upstream if it's not already, by changing ownership or
deleting the old file before dropping privileges. I've attached a patch that deletes the
old file.
I realized that os.remove throws an exception if the file isn't there, which isn't what we
want. Here's an updated patch. It works with .face owned by root, owned by the proper
user, or when it doesn't exist at all.
--- /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py.orig 2019-01-14 17:24:37.799003654 -0800
+++ /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py 2019-01-14 18:41:39.855137769 -0800
@@ -675,6 +675,10 @@
image.thumbnail((96, 96), Image.ANTIALIAS)
face_path = os.path.join(user.get_home_dir(), ".face")
try:
+ try:
+ os.remove(face_path)
+ except:
+ pass
priv_helper.drop_privs(user)
image.save(face_path, "png")
finally:
@@ -704,9 +708,14 @@
user = model[treeiter][INDEX_USER_OBJECT]
user.set_icon_file(path)
self.face_image.set_from_file(path)
+ face_path = os.path.join(user.get_home_dir(), ".face")
try:
+ try:
+ os.remove(face_path)
+ except:
+ pass
priv_helper.drop_privs(user)
- shutil.copy(path, os.path.join(user.get_home_dir(), ".face"))
+ shutil.copy(path, face_path)
finally:
priv_helper.restore_privs()
model.set_value(treeiter, INDEX_USER_PICTURE, GdkPixbuf.Pixbuf.new_from_file_at_size(path, 48, 48))
Reply to: