{"id":"UBUNTU-CVE-2018-13054","details":"An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.","modified":"2026-02-04T03:31:42.962372Z","published":"2018-07-02T14:29:00Z","related":["USN-4844-1"],"upstream":["CVE-2018-13054"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-13054"},{"type":"REPORT","url":"https://github.com/linuxmint/Cinnamon/pull/7683"},{"type":"REPORT","url":"https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1083067"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4844-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-13054"}],"affected":[{"package":{"name":"cinnamon","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/cinnamon@2.8.6-1ubuntu1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.6-1ubuntu1+esm1"}]}],"versions":["2.6.13-1ubuntu2","2.8.6-1ubuntu1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.8.6-1ubuntu1+esm1","binary_name":"cinnamon"},{"binary_version":"2.8.6-1ubuntu1+esm1","binary_name":"cinnamon-common"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-13054.json"}},{"package":{"name":"cinnamon","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/cinnamon@3.6.7-8ubuntu1+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.7-8ubuntu1+esm1"}]}],"versions":["3.4.6-1","3.6.7-3","3.6.7-4","3.6.7-5","3.6.7-6","3.6.7-7","3.6.7-8","3.6.7-8ubuntu1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"3.6.7-8ubuntu1+esm1","binary_name":"cinnamon"},{"binary_version":"3.6.7-8ubuntu1+esm1","binary_name":"cinnamon-common"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-13054.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}