security update in Fedora EPEL 7 for cinnamon

Status: testing 2 months ago

A flaw was found in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.

Logout Required

After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-EPEL-2019-d2c1368294

Comments 3

This update has been submitted for testing by jcpunk.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines

Is the update generally functional? (karma)

You need to be logged in to add karma!

#1598495 CVE-2018-13054 cinnamon: privilege escalation in cinnamon-settings-users.py GUI [epel-7]
Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
submitted 2 months ago
in testing 2 months ago

Related Bugs 1

00 #1598495 CVE-2018-13054 cinnamon: privilege escalation in cinnamon-settings-users.py GUI [epel-7]

Automated Test Results