Security Notice: CVE-2019-17080

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
User avatar
clem
Level 12
Level 12
Posts: 4303
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Security Notice: CVE-2019-17080

Post by clem »

Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs.

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17080
https://github.com/Andhrimnirr/Mintinst ... -injection

Affected versions

The issue affects 2 packages:

- mintinstall from version 7.9.5 to version 7.9.9
- mint-common version 2.0.6

Fixed versions

Please upgrade to the following versions.

- Linux Mint 19.2 Tina: mintinstall 8.0.0 and mint-common 2.0.7.
- LMDE 3 Cindy: mintinstall 8.0.0 and mint-common 2.0.7.
- Linux Mint 19.1 Tessa: mintinstall 7.9.7.1
- Linux Mint 19 Tara: mintinstall 7.9.5.1

References

https://github.com/linuxmint/mintinstal ... 64b1a048ad
https://github.com/linuxmint/mintcommon ... 62c1ce3570
Image
User avatar
Moem
Level 22
Level 22
Posts: 16224
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem »

Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
gm10

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Saw that yesterday, but frankly w/e, to exploit that you need to have write access to the user's files, at which point you can just run your code directly, so the real world risk from this is probably as close to zero as it gets. Still +1 for the change to JSON, was hoping you'd end up doing that after the initial fix attempt.
Last edited by gm10 on Fri Oct 04, 2019 8:38 am, edited 1 time in total.
mwbworld

Re: Security Notice: CVE-2019-17080

Post by mwbworld »

Done! Thanks for the notice and all of the teams' hard work!
User avatar
kc1di
Level 18
Level 18
Posts: 8146
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Security Notice: CVE-2019-17080

Post by kc1di »

Thank you for the quick notice and update.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
LanceM

Re: Security Notice: CVE-2019-17080

Post by LanceM »

Great to know someone's watching our backs!
User avatar
Voltron
Level 2
Level 2
Posts: 85
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Re: Security Notice: CVE-2019-17080

Post by Voltron »

As others have stated, I want to forward a huge thanks and much appreciation to Clem and the other Mint developers for their quick and dutiful response to this security issue. It's great to have such expertise and watchful eyes on Mint's code. Thank you, everyone!!!
User avatar
Linux-Bill
Level 3
Level 3
Posts: 133
Joined: Mon Mar 14, 2016 4:19 pm

Re: Security Notice: CVE-2019-17080

Post by Linux-Bill »

Gotta luv Mint!!! Found, mentioned, and fixed!!! And, it didn't take days or weeks filled with faulty updates. Thanks for being there - you folks are what make Linux Mint great!!!
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Security Notice: CVE-2019-17080

Post by Spearmint2 »

Any problem in 18.3 ??
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
gm10

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Spearmint2 wrote: Sat Oct 05, 2019 10:24 am Any problem in 18.3 ??
No, the problematic code was introduced in LM 19.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Security Notice: CVE-2019-17080

Post by Portreve »

clem wrote: Fri Oct 04, 2019 5:54 am Summary

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. [Emphasis added.]
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
gm10

Re: Security Notice: CVE-2019-17080

Post by gm10 »

Portreve wrote: Tue Oct 08, 2019 3:49 am An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
But you can google, can't you? ;)
https://docs.python.org/3/library/pickle.html
User avatar
Moem
Level 22
Level 22
Posts: 16224
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Notice: CVE-2019-17080

Post by Moem »

I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Security Notice: CVE-2019-17080

Post by Portreve »

Moem wrote: Tue Oct 08, 2019 4:48 am I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
+1
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
User avatar
AngryDavid 808
Level 2
Level 2
Posts: 73
Joined: Sat Sep 28, 2019 7:56 am
Location: Egypt

Re: Security Notice: CVE-2019-17080

Post by AngryDavid 808 »

Thank you! Just updated my laptop today!
Linux user since August, 2019.
DEVICE: HP Pavilion dv6-2300 - Win10 + Mint 21 / Intel Core i7 Q720 1.6GHz / 4GB RAM / 256GB Internal SSD + 1TB Toshiba HDD (Caddy used) + 1TB WD Elements External HDD (yeah, I'm kind of a data hoarder) / nVidia GeForce 320M
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

Re: Security Notice: CVE-2019-17080

Post by deepakdeshp »

Moem wrote: Fri Oct 04, 2019 7:51 am Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
How to update this? I am running Mint 19.2 Cinnamon with full updates.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
User avatar
JoeFootball
Level 13
Level 13
Posts: 4674
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Security Notice: CVE-2019-17080

Post by JoeFootball »

deepakdeshp wrote: How to update this? I am running Mint 19.2 Cinnamon with full updates.
Then you're done. :)

Joe
JOSEILLO

Re: Security Notice: CVE-2019-17080

Post by JOSEILLO »

GREETINGS, THANK YOU FOR THE INFORMATION AND THE WAY THAT DETAILED IT, IT WAS A LOT OF HELP.
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

Re: Security Notice: CVE-2019-17080

Post by deepakdeshp »

JOSEILLO wrote: Thu Nov 28, 2019 12:36 pm GREETINGS, THANK YOU FOR THE INFORMATION AND THE WAY THAT DETAILED IT, IT WAS A LOT OF HELP.
Typing all caps is considered as shouting.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security Notice: CVE-2019-17080

Post by trytip »

gm10 wrote: Tue Oct 08, 2019 3:54 am
Portreve wrote: Tue Oct 08, 2019 3:49 am An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me. :lol:
But you can google, can't you? ;)
https://docs.python.org/3/library/pickle.html
Amiga's iconic “Guru meditation error” ??? wow i thought i was old, nope never heard of it and yes gm10 i can g00gle it :D
it
/it/ pronoun
1. used to refer to a thing previously mentioned or easily identified. "a room with two beds in it"
2. used to identify a person. "it's me"
BTW @gm10, for those of us that have your ppa is your mint-common 2.2.4~gm10 fixed as well? i'm sure it is
Image
Post Reply

Return to “Releases & Announcements”