New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cinnamon-settings-users.py: fix symlink attack vulnerability #7683

Merged
merged 1 commit into from Jul 2, 2018

Conversation

Projects
None yet
3 participants
@mgerstner
Contributor

mgerstner commented Jul 2, 2018

This script runs as root and allows to configure e.g. other user's icon
files. These icon files are written to the respective user's $HOME/.face
location. If an unprivileged user prepares a symlink pointing to an
arbitrary location then this location will be overwritten with the icon
content. This vulnerability thus allows to corrupt the system or other
user's files. The content is not attacker controlled, luckily.

This change introduces temporary privilege drops to the target user's
privileges before attempting to write the respective .face files. This
way the kernel can decide if permissions are okay or not.

@xenopeek xenopeek added the In Progress label Jul 2, 2018

cinnamon-settings-users.py: fix symlink attack vulnerability
This script runs as root and allows to configure e.g. other user's icon
files. These icon files are written to the respective user's $HOME/.face
location. If an unprivileged user prepares a symlink pointing to an
arbitrary location then this location will be overwritten with the icon
content. This vulnerability thus allows to corrupt the system or other
user's files. The content is not attacker controlled, luckily.

This change introduces temporary privilege drops to the target user's
privileges before attempting to write the respective .face files. This
way the kernel can decide if permissions are okay or not.
@mgerstner

This comment has been minimized.

Contributor

mgerstner commented Jul 2, 2018

I reported this privately to @clefebvre by mail and he asked me to publish it right away via a PR. So here it is.

I think this is the safest way to fix the issue, so we don't have to worry about race conditions and open flags, letting the kernel do the actual security checks. Even safer would be not even to write that file as root, of course ;-)

@mgerstner

This comment has been minimized.

Contributor

mgerstner commented Jul 2, 2018

This was assigned CVE-2018-13054.

@mtwebster mtwebster merged commit 66e54f4 into linuxmint:master Jul 2, 2018

2 of 4 checks passed

CodeFactor 11 issues found.
Details
ci/circleci: lmde3 Your tests failed on CircleCI
Details
Codacy/PR Quality Review Up to standards. A positive pull request.
Details
ci/circleci: mint19 Your tests passed on CircleCI!
Details

@xenopeek xenopeek removed the In Progress label Jul 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment