Security Notice: CVE-2019-17080

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
clem
Level 12
Level 12
Posts: 4191
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Security Notice: CVE-2019-17080

Post by clem »

Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs.

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17080
https://github.com/Andhrimnirr/Mintinst ... -injection

Affected versions

The issue affects 2 packages:

- mintinstall from version 7.9.5 to version 7.9.9
- mint-common version 2.0.6

Fixed versions

Please upgrade to the following versions.

- Linux Mint 19.2 Tina: mintinstall 8.0.0 and mint-common 2.0.7.
- LMDE 3 Cindy: mintinstall 8.0.0 and mint-common 2.0.7.
- Linux Mint 19.1 Tessa: mintinstall 7.9.7.1
- Linux Mint 19 Tara: mintinstall 7.9.5.1

References

https://github.com/linuxmint/mintinstal ... 64b1a048ad
https://github.com/linuxmint/mintcommon ... 62c1ce3570
Image
User avatar
Moem
Level 20
Level 20
Posts: 11788
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem »

Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
gm10
Level 20
Level 20
Posts: 10999
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Saw that yesterday, but frankly w/e, to exploit that you need to have write access to the user's files, at which point you can just run your code directly, so the real world risk from this is probably as close to zero as it gets. Still +1 for the change to JSON, was hoping you'd end up doing that after the initial fix attempt.
Last edited by gm10 on Fri Oct 04, 2019 8:38 am, edited 1 time in total.
User avatar
mwbworld
Level 3
Level 3
Posts: 126
Joined: Fri Aug 19, 2016 10:55 am
Location: Boston, MA

Re: Security Notice: CVE-2019-17080

Post by mwbworld »

Done! Thanks for the notice and all of the teams' hard work!
- Michael
User avatar
kc1di
Level 16
Level 16
Posts: 6315
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Security Notice: CVE-2019-17080

Post by kc1di »

Thank you for the quick notice and update.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
User avatar
LanceM
Level 10
Level 10
Posts: 3209
Joined: Sun Jul 08, 2018 11:50 pm

Re: Security Notice: CVE-2019-17080

Post by LanceM »

Great to know someone's watching our backs!
To mark this issue solved, go to your original 1st post and click the edit pencil and add [Solved] at the beginning of the title and click Submit.
Mint accepts donations: https://linuxmint.com/donors.php
User avatar
Voltron
Level 2
Level 2
Posts: 75
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Re: Security Notice: CVE-2019-17080

Post by Voltron »

As others have stated, I want to forward a huge thanks and much appreciation to Clem and the other Mint developers for their quick and dutiful response to this security issue. It's great to have such expertise and watchful eyes on Mint's code. Thank you, everyone!!!
User avatar
Linux-Bill
Level 3
Level 3
Posts: 129
Joined: Mon Mar 14, 2016 4:19 pm

Re: Security Notice: CVE-2019-17080

Post by Linux-Bill »

Gotta luv Mint!!! Found, mentioned, and fixed!!! And, it didn't take days or weeks filled with faulty updates. Thanks for being there - you folks are what make Linux Mint great!!!
User avatar
Spearmint2
Level 16
Level 16
Posts: 6893
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Security Notice: CVE-2019-17080

Post by Spearmint2 »

Any problem in 18.3 ??
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
gm10
Level 20
Level 20
Posts: 10999
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Spearmint2 wrote:
Sat Oct 05, 2019 10:24 am
Any problem in 18.3 ??
No, the problematic code was introduced in LM 19.
User avatar
Portreve
Level 10
Level 10
Posts: 3317
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida

Re: Security Notice: CVE-2019-17080

Post by Portreve »

clem wrote:
Fri Oct 04, 2019 5:54 am
Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. [Emphasis added.]
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
Please remember to mark your fixed problem [SOLVED].

Running Linux Mint Cinnamon 20.0.

The noblest of all dogs is the hot-dog; it feeds the hand that bites it.
— Dr. Lawrence J. Peter
gm10
Level 20
Level 20
Posts: 10999
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Portreve wrote:
Tue Oct 08, 2019 3:49 am
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
But you can google, can't you? ;)
https://docs.python.org/3/library/pickle.html
User avatar
Moem
Level 20
Level 20
Posts: 11788
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem »

I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
User avatar
Portreve
Level 10
Level 10
Posts: 3317
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida

Re: Security Notice: CVE-2019-17080

Post by Portreve »

Moem wrote:
Tue Oct 08, 2019 4:48 am
I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
+1
Please remember to mark your fixed problem [SOLVED].

Running Linux Mint Cinnamon 20.0.

The noblest of all dogs is the hot-dog; it feeds the hand that bites it.
— Dr. Lawrence J. Peter
User avatar
AngryDavid 808
Level 2
Level 2
Posts: 50
Joined: Sat Sep 28, 2019 7:56 am
Location: Egypt

Re: Security Notice: CVE-2019-17080

Post by AngryDavid 808 »

Thank you! Just updated my laptop today!
Just a newbie in Linux, I've joined the World of Linux since August, 2019.

DEVICE: HP Pavilion dv6 Notebook - Windows 7 + KDE Neon 5.19 / Intel Core i7 Q720 Processor / 4GB RAM / 500GB ATA SSD Hard Drive
deepakdeshp
Level 18
Level 18
Posts: 8351
Joined: Sun Aug 09, 2015 10:00 am

Re: Security Notice: CVE-2019-17080

Post by deepakdeshp »

Moem wrote:
Fri Oct 04, 2019 7:51 am
Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
How to update this? I am running Mint 19.2 Cinnamon with full updates.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
Regards,
Deepak

I am using Mint 20 Cinnamon 64 bit with AMD A8/7410 processor . Memory 8GB
User avatar
JoeFootball
Level 9
Level 9
Posts: 2781
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Security Notice: CVE-2019-17080

Post by JoeFootball »

deepakdeshp wrote: How to update this? I am running Mint 19.2 Cinnamon with full updates.
Then you're done. :)

Joe
JOSEILLO
Level 1
Level 1
Posts: 2
Joined: Thu Nov 14, 2019 8:46 am
Contact:

Re: Security Notice: CVE-2019-17080

Post by JOSEILLO »

GREETINGS, THANK YOU FOR THE INFORMATION AND THE WAY THAT DETAILED IT, IT WAS A LOT OF HELP.
deepakdeshp
Level 18
Level 18
Posts: 8351
Joined: Sun Aug 09, 2015 10:00 am

Re: Security Notice: CVE-2019-17080

Post by deepakdeshp »

JOSEILLO wrote:
Thu Nov 28, 2019 12:36 pm
GREETINGS, THANK YOU FOR THE INFORMATION AND THE WAY THAT DETAILED IT, IT WAS A LOT OF HELP.
Typing all caps is considered as shouting.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
Regards,
Deepak

I am using Mint 20 Cinnamon 64 bit with AMD A8/7410 processor . Memory 8GB
User avatar
trytip
Level 13
Level 13
Posts: 4894
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security Notice: CVE-2019-17080

Post by trytip »

gm10 wrote:
Tue Oct 08, 2019 3:54 am
Portreve wrote:
Tue Oct 08, 2019 3:49 am
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
But you can google, can't you? ;)
https://docs.python.org/3/library/pickle.html
Amiga's iconic “Guru meditation error” ??? wow i thought i was old, nope never heard of it and yes gm10 i can g00gle it :D
it
/it/ pronoun
1. used to refer to a thing previously mentioned or easily identified. "a room with two beds in it"
2. used to identify a person. "it's me"
BTW @gm10, for those of us that have your ppa is your mint-common 2.2.4~gm10 fixed as well? i'm sure it is
Image
Post Reply

Return to “Releases & Announcements”