Bug 1597495

Summary: accountsservice: Improper path validation of user icon files allows for spoofing via symlink
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mclasen, rstrode, stefw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-13 19:17:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1597497, 1597499    
Bug Blocks: 1597500    

Description Sam Fowler 2018-07-03 05:41:43 UTC 
GNOME AccountsService does not properly validate the filepaths of user icon files in the user.c:user_change_icon_file_authorized_cb() function. An attacker could exploit this by providing a crafted path via  D-Bus message and replacing it with a symlink. Third party applications that trust this path can potentially read from its location as root and try to interpret it as an image file.


External Reference:

http://www.openwall.com/lists/oss-security/2018/07/02/2


Upstream Bug:

https://bugs.freedesktop.org/show_bug.cgi?id=107085
Comment 1 Sam Fowler 2018-07-03 05:42:08 UTC 
Created accountsservice tracking bugs for this issue:

Affects: fedora-all [bug 1597497]
Comment 3 Sam Fowler 2018-07-03 05:42:55 UTC 
openSUSE Bug:

https://bugzilla.novell.com/show_bug.cgi?id=1099699
Comment 4 Tomas Hoger 2018-07-13 19:17:39 UTC 

*** This bug has been marked as a duplicate of bug 1601019 ***