A flaw was found in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.
After installing this update it is required that you logout of
your current user session and log back in to ensure the changes
supplied by this update are applied properly.
How to install
sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-EPEL-2019-d2c1368294