Bug#903201: marked as done (cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 1 Sep 2019 13:00:08 +0900
with message-id <[🔎] 20190901040008.coxo57fmkbz6ks37@bulldog.preining.info>
and subject line CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
has caused the Debian Bug report #903201,
regarding cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
903201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903201
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 07 Jul 2018 16:56:06 +0200
• Message-id: <153097536633.31435.14883302343563143726.reportbug@eldamar.local>

Source: cinnamon
Version: 3.2.7-4
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/linuxmint/Cinnamon/pull/7683

Hi,

The following vulnerability was published for cinnamon.

CVE-2018-13054[0]:
| An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The
| cinnamon-settings-users.py GUI runs as root and allows configuration of
| (for example) other users' icon files in
| _on_face_browse_menuitem_activated and _on_face_menuitem_activated.
| These icon files are written to the respective user's $HOME/.face
| location. If an unprivileged user prepares a symlink pointing to an
| arbitrary location, then this location will be overwritten with the
| icon content.

It requires admin intervention though, but still filling it as RC
severity.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13054
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13054
[1] https://github.com/linuxmint/Cinnamon/pull/7683
[2] https://bugzilla.suse.com/show_bug.cgi?id=1083067

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: debian-cinnamon@lists.debian.org
• Cc: 903201-done@bugs.debian.org
• Subject: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
• From: Norbert Preining <norbert@preining.info>
• Date: Sun, 1 Sep 2019 13:00:08 +0900
• Message-id: <[🔎] 20190901040008.coxo57fmkbz6ks37@bulldog.preining.info>

fixed 903201 3.8.8-1
thanks

Hi all,

there is still 
#903201 cinnamon: CVE-2018-13054: privilege escalation in cinnamon-settings-users.py GUI
open, but it is already fixed in 3.8.8, so I am closing this bug now and
mark it as fixed in 3.8.8-1 in buster.

There is a fix to remove the root owned .face file that is not
incorporated, we could add that later on. For the time being I create a
buster branch that incorporates that fix. We will see if we upload it to
a point release.

Best

Norbert

--
PREINING Norbert                               http://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

--- End Message ---