oss-sec mailing list archives
Re: cinnamon: possible symlink attack in cinnamon-settings-users.py
From: Matthias Gerstner <mgerstner () suse de>
Date: Mon, 2 Jul 2018 16:09:48 +0200
The script cinnamon-settings-users.py runs as root (via polkit's pkexec) and allows to configure e.g. other user's icon files. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location then this location will be overwritten with the icon content.
This was assigned CVE-2018-13054.
Attachment:
signature.asc
Description:
Current thread:
- cinnamon: possible symlink attack in cinnamon-settings-users.py Matthias Gerstner (Jul 02)
- Re: cinnamon: possible symlink attack in cinnamon-settings-users.py Matthias Gerstner (Jul 02)