Bugzilla – Bug 1083067
AUDIT-0: CVE-2018-13054: cinnamon: polkit-untracked-privilege: org.cinnamon.settings-users > possible symlink attack in cinnamon-settings-users.py
Last modified: 2023-04-06 15:55:02 UTC
Since you want to change this Info to an error, the current set of untracked privileges needs to be added to the white list. cinnamon will newly fail with this check enforced: [ 386s] cinnamon.x86_64: I: polkit-untracked-privilege org.cinnamon.settings-users (auth_admin:auth_admin:auth_admin)
The cinnamon settings daemon was already audited in bug 951830. So this is only an incremental extension.
This is an autogenerated message for OBS integration: This bug (1083067) was mentioned in https://build.opensuse.org/request/show/585867 Factory / polkit-default-privs
I will work on this now. This is actually for package cinnamon-settings-daemon.
This is in the cinnamon package after all. Obviously I confused something here. It's an pkexec action that allows to run a GUI implemented in python as root. Since it's all auth_admin that fine so far. The GUI itself running as root is a different matter. Will look deeper into it.
Adding cinnamon maintainer to CC. Making this private/embargoed. So we have something here. Actually unrelated to the polkit rule itself, but the GUI running as root opens up a symlink attack. The admin can change other user's icons via the GUI. Once that happens, the GUI writes the new icon file to the user's home directory into /home/<user>/.face. If an unprivileged user puts a symlink there like: rm $HOME/.face ln -s /etc/shadow $HOME/.face then as soon as the admin changes the icon, /etc/shadow will be overwritten by an icon file. So this allows unprivileged users to prepare a DoS attack or have further impact like creation a file /etc/suid-debug which allows to weaked protection of setuid binaries. It still requires admin interaction. Anyways still a serious bug. I didn't report this to upstream yet, because they seemingly have no responsible disclosure policy. I've contacted one of the devs I just recently had to do with. Therefore this is currently still under embargoe. Please don't spread it.
In attachment 775569 [details] I have put a suggested patch that drops privileges to the target user before touching that .face file. Let's see what upstream thinks about it.
Assigning this to the Cinnamon maintainer. The upstream dev replied by now and they don't want an embargo. It is public now via an upstream PR I just made: https://github.com/linuxmint/Cinnamon/pull/7683 Let's see if they accept the patch. It should work though, I tested it on Tumbleweed. Please submit a fix to Factory and maintenance updates for Leap 15.0, Leap 42.3. Thank you!
Upstream has merged the PR, so now it's time for us to integrate the patch, too.
This is an autogenerated message for OBS integration: This bug (1083067) was mentioned in https://build.opensuse.org/request/show/621350 15.0 / cinnamon
Alexei, if 42.3 is affected do you plan to apply the same fix there?
Andreas Stieger, it is affected, yeah. A request is out.
This is an autogenerated message for OBS integration: This bug (1083067) was mentioned in https://build.opensuse.org/request/show/622258 42.3 / cinnamon https://build.opensuse.org/request/show/622260 15.0 / cinnamon
openSUSE-SU-2018:2121-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1083067 CVE References: CVE-2018-13054 Sources used: openSUSE Leap 15.0 (src): cinnamon-3.6.7-lp150.3.3.1
openSUSE-SU-2018:2125-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1083067 CVE References: CVE-2018-13054 Sources used: openSUSE Leap 42.3 (src): cinnamon-3.4.6-2.3.1
Updates are all out. Closing this bug as FIXED.