CVE-2018-13054

Name of the Vulnerable Software and Affected Versions Cinnamon versions 1.9.2 through 3.8.6

Description An issue was discovered where the cinnamon-settings-users.py GUI, running as root, allows configuration of other users' icon files. This can lead to arbitrary file overwrites if an unprivileged user prepares a symlink to a target location. The icon files are written to the respective user's $HOME/.face location.

Recommendations For Cinnamon versions 1.9.2 through 3.8.6, consider restricting access to the cinnamon-settings-users.py GUI to prevent unprivileged users from preparing symlinks that could lead to arbitrary file overwrites. As a temporary workaround, consider disabling the on face browse menuitem activated and on face menuitem activated functions until a patch is available.