Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jul 2018 15:37:09 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: cinnamon: possible symlink attack in cinnamon-settings-users.py

Hello,

this is about an issue I found during a code review of Cinnamon
<https://github.com/linuxmint/Cinnamon>:

The script cinnamon-settings-users.py runs as root (via polkit's pkexec) 
and allows to configure e.g. other user's icon files. These icon files
are written to the respective user's $HOME/.face location. If an
unprivileged user prepares a symlink pointing to an arbitrary location
then this location will be overwritten with the icon content. This
vulnerability thus allows to corrupt the system or other user's files.
The content is not attacker controlled, luckily. It may have further
unspecified impact, however, by allowing to write to pseudo files in
/proc or /sys or by creating state files that influence other system
components like /etc/suid-debug.

Affected Versions:

From the git history it looks like this vulnerability was contained for
a long time in the cinnamon-settings-users.py script, dating back to
version 1.9.2 up to and including current version 3.8.6.

Suggested Fix:

Dropping privileges to the target user while writing the $HOME/.face
file should be a safe approach. A preliminary suggested patch is found
in the pull request referenced below and is also attached to this mail.

References:

Upstream pull request: https://github.com/linuxmint/Cinnamon/pull/7683
OpenSUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1083067

Timeline:

2018-06-28: I found the vulnerability during a code review
2018-06-29: I privately contacted the upstream main developer
2018-07-02: Upstream agreed to publish the issue and I created the
            upstream PR

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

View attachment "0001-cinnamon-settings-users.py-fix-symlink-attack-vulner.patch" of type "text/x-diff" (3809 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.