|
Message-ID: <20180702133709.GE8324@f195.suse.de> Date: Mon, 2 Jul 2018 15:37:09 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: cinnamon: possible symlink attack in cinnamon-settings-users.py Hello, this is about an issue I found during a code review of Cinnamon <https://github.com/linuxmint/Cinnamon>: The script cinnamon-settings-users.py runs as root (via polkit's pkexec) and allows to configure e.g. other user's icon files. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location then this location will be overwritten with the icon content. This vulnerability thus allows to corrupt the system or other user's files. The content is not attacker controlled, luckily. It may have further unspecified impact, however, by allowing to write to pseudo files in /proc or /sys or by creating state files that influence other system components like /etc/suid-debug. Affected Versions: From the git history it looks like this vulnerability was contained for a long time in the cinnamon-settings-users.py script, dating back to version 1.9.2 up to and including current version 3.8.6. Suggested Fix: Dropping privileges to the target user while writing the $HOME/.face file should be a safe approach. A preliminary suggested patch is found in the pull request referenced below and is also attached to this mail. References: Upstream pull request: https://github.com/linuxmint/Cinnamon/pull/7683 OpenSUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1083067 Timeline: 2018-06-28: I found the vulnerability during a code review 2018-06-29: I privately contacted the upstream main developer 2018-07-02: Upstream agreed to publish the issue and I created the upstream PR -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg) View attachment "0001-cinnamon-settings-users.py-fix-symlink-attack-vulner.patch" of type "text/x-diff" (3809 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.