Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180702133709.GE8324@f195.suse.de>
Date: Mon, 2 Jul 2018 15:37:09 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: cinnamon: possible symlink attack in cinnamon-settings-users.py

Hello,

this is about an issue I found during a code review of Cinnamon
<https://github.com/linuxmint/Cinnamon>:

The script cinnamon-settings-users.py runs as root (via polkit's pkexec) 
and allows to configure e.g. other user's icon files. These icon files
are written to the respective user's $HOME/.face location. If an
unprivileged user prepares a symlink pointing to an arbitrary location
then this location will be overwritten with the icon content. This
vulnerability thus allows to corrupt the system or other user's files.
The content is not attacker controlled, luckily. It may have further
unspecified impact, however, by allowing to write to pseudo files in
/proc or /sys or by creating state files that influence other system
components like /etc/suid-debug.

Affected Versions:

From the git history it looks like this vulnerability was contained for
a long time in the cinnamon-settings-users.py script, dating back to
version 1.9.2 up to and including current version 3.8.6.

Suggested Fix:

Dropping privileges to the target user while writing the $HOME/.face
file should be a safe approach. A preliminary suggested patch is found
in the pull request referenced below and is also attached to this mail.

References:

Upstream pull request: https://github.com/linuxmint/Cinnamon/pull/7683
OpenSUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1083067

Timeline:

2018-06-28: I found the vulnerability during a code review
2018-06-29: I privately contacted the upstream main developer
2018-07-02: Upstream agreed to publish the issue and I created the
            upstream PR

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

View attachment "0001-cinnamon-settings-users.py-fix-symlink-attack-vulner.patch" of type "text/x-diff" (3809 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.