Security Notice: CVE-2019-17080

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
Post Reply
User avatar
clem
Level 12
Level 12
Posts: 4128
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Security Notice: CVE-2019-17080

Post by clem » Fri Oct 04, 2019 5:54 am

Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs.

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17080
https://github.com/Andhrimnirr/Mintinst ... -injection

Affected versions

The issue affects 2 packages:

- mintinstall from version 7.9.5 to version 7.9.9
- mint-common version 2.0.6

Fixed versions

Please upgrade to the following versions.

- Linux Mint 19.2 Tina: mintinstall 8.0.0 and mint-common 2.0.7.
- LMDE 3 Cindy: mintinstall 8.0.0 and mint-common 2.0.7.
- Linux Mint 19.1 Tessa: mintinstall 7.9.7.1
- Linux Mint 19 Tara: mintinstall 7.9.5.1

References

https://github.com/linuxmint/mintinstal ... 64b1a048ad
https://github.com/linuxmint/mintcommon ... 62c1ce3570
Image

User avatar
Moem
Level 19
Level 19
Posts: 9570
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem » Fri Oct 04, 2019 7:51 am

Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

gm10
Level 19
Level 19
Posts: 9827
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 » Fri Oct 04, 2019 8:36 am

Saw that yesterday, but frankly w/e, to exploit that you need to have write access to the user's files, at which point you can just run your code directly, so the real world risk from this is probably as close to zero as it gets. Still +1 for the change to JSON, was hoping you'd end up doing that after the initial fix attempt.
Last edited by gm10 on Fri Oct 04, 2019 8:38 am, edited 1 time in total.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
mwbworld
Level 3
Level 3
Posts: 126
Joined: Fri Aug 19, 2016 10:55 am
Location: Boston, MA

Re: Security Notice: CVE-2019-17080

Post by mwbworld » Fri Oct 04, 2019 8:37 am

Done! Thanks for the notice and all of the teams' hard work!
- Michael

User avatar
kc1di
Level 14
Level 14
Posts: 5442
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Security Notice: CVE-2019-17080

Post by kc1di » Fri Oct 04, 2019 8:47 am

Thank you for the quick notice and update.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608

User avatar
blueocean
Level 5
Level 5
Posts: 799
Joined: Sun Jul 08, 2018 11:50 pm

Re: Security Notice: CVE-2019-17080

Post by blueocean » Fri Oct 04, 2019 3:00 pm

Great to know someone's watching our backs!
To mark this issue solved, go to your original 1st post and click the edit pencil and add [Solved] at the beginning of the title and click Submit.

User avatar
Voltron
Level 2
Level 2
Posts: 65
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Re: Security Notice: CVE-2019-17080

Post by Voltron » Fri Oct 04, 2019 3:37 pm

As others have stated, I want to forward a huge thanks and much appreciation to Clem and the other Mint developers for their quick and dutiful response to this security issue. It's great to have such expertise and watchful eyes on Mint's code. Thank you, everyone!!!

User avatar
Linux-Bill
Level 3
Level 3
Posts: 105
Joined: Mon Mar 14, 2016 4:19 pm

Re: Security Notice: CVE-2019-17080

Post by Linux-Bill » Sat Oct 05, 2019 9:06 am

Gotta luv Mint!!! Found, mentioned, and fixed!!! And, it didn't take days or weeks filled with faulty updates. Thanks for being there - you folks are what make Linux Mint great!!!

User avatar
Spearmint2
Level 16
Level 16
Posts: 6878
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Security Notice: CVE-2019-17080

Post by Spearmint2 » Sat Oct 05, 2019 10:24 am

Any problem in 18.3 ??
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

gm10
Level 19
Level 19
Posts: 9827
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 » Sat Oct 05, 2019 11:17 am

Spearmint2 wrote:
Sat Oct 05, 2019 10:24 am
Any problem in 18.3 ??
No, the problematic code was introduced in LM 19.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
smgordon1259
Level 3
Level 3
Posts: 168
Joined: Tue Jul 30, 2013 6:12 pm
Location: Wisconsin Rapids

Re: Security Notice: CVE-2019-17080

Post by smgordon1259 » Sat Oct 05, 2019 11:17 pm

Thank You sir for your endeavors

Updated as requested.
ASUS M5A78L-M/USB3
AMD FX-4350 (4.2gHz)
Vulcan DDR3 1600MHz 8Gb
EVGA GTX 660 - 2Gb Driver Nvidia 435.21
Linux Mint 19.2 MATE amd64 Kernel 5.3.0-23 generic x86_64
Primary: PNY 120Gb SSD Secondary: Seagate 1Tb SSHD

User avatar
Portreve
Level 8
Level 8
Posts: 2151
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Security Notice: CVE-2019-17080

Post by Portreve » Tue Oct 08, 2019 3:49 am

clem wrote:
Fri Oct 04, 2019 5:54 am
Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. [Emphasis added.]
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
Presently rocking LinuxMint 19.2 Cinnamon.

Remember to mark your fixed problem [SOLVED].

Xi does look like Winnie the Pooh. FTCG.

gm10
Level 19
Level 19
Posts: 9827
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security Notice: CVE-2019-17080

Post by gm10 » Tue Oct 08, 2019 3:54 am

Portreve wrote:
Tue Oct 08, 2019 3:49 am
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
But you can google, can't you? ;)
https://docs.python.org/3/library/pickle.html
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
Moem
Level 19
Level 19
Posts: 9570
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem » Tue Oct 08, 2019 4:48 am

I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Portreve
Level 8
Level 8
Posts: 2151
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Security Notice: CVE-2019-17080

Post by Portreve » Tue Oct 08, 2019 5:18 am

Moem wrote:
Tue Oct 08, 2019 4:48 am
I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
+1
Presently rocking LinuxMint 19.2 Cinnamon.

Remember to mark your fixed problem [SOLVED].

Xi does look like Winnie the Pooh. FTCG.

User avatar
AngryDavid 808
Level 1
Level 1
Posts: 22
Joined: Sat Sep 28, 2019 7:56 am
Location: Egypt

Re: Security Notice: CVE-2019-17080

Post by AngryDavid 808 » Tue Oct 08, 2019 5:13 pm

Thank you! Just updated my laptop today!
Just a newbie in Linux, I've joined the World of Linux since August, 2019.

DEVICE: HP Pavilion dv6 Notebook - Windows 7 + Zorin OS 15 Ultimate + Linux Mint 19.2 Tina Cinammon / Intel Core i7 Q720 Processor / 4GB RAM / 500GB SSD Hard Drive

deepakdeshp
Level 16
Level 16
Posts: 6121
Joined: Sun Aug 09, 2015 10:00 am

Re: Security Notice: CVE-2019-17080

Post by deepakdeshp » Fri Oct 18, 2019 7:37 am

Moem wrote:
Fri Oct 04, 2019 7:51 am
Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
How to update this? I am running Mint 19.2 Cinnamon with full updates.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
Regards,
Deepak

I am using Mint 19.2 Cinnamon 64 bit with AMD A8/7410 processor . Memory 8GB

User avatar
JoeFootball
Level 7
Level 7
Posts: 1925
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Security Notice: CVE-2019-17080

Post by JoeFootball » Fri Oct 18, 2019 10:22 am

deepakdeshp wrote: How to update this? I am running Mint 19.2 Cinnamon with full updates.
Then you're done. :)

Joe

Post Reply

Return to “Releases & Announcements”