Security Notice: CVE-2019-17080
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Security Notice: CVE-2019-17080
Summary
mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs.
https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17080
https://github.com/Andhrimnirr/Mintinst ... -injection
Affected versions
The issue affects 2 packages:
- mintinstall from version 7.9.5 to version 7.9.9
- mint-common version 2.0.6
Fixed versions
Please upgrade to the following versions.
- Linux Mint 19.2 Tina: mintinstall 8.0.0 and mint-common 2.0.7.
- LMDE 3 Cindy: mintinstall 8.0.0 and mint-common 2.0.7.
- Linux Mint 19.1 Tessa: mintinstall 7.9.7.1
- Linux Mint 19 Tara: mintinstall 7.9.5.1
References
https://github.com/linuxmint/mintinstal ... 64b1a048ad
https://github.com/linuxmint/mintcommon ... 62c1ce3570
mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs.
https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17080
https://github.com/Andhrimnirr/Mintinst ... -injection
Affected versions
The issue affects 2 packages:
- mintinstall from version 7.9.5 to version 7.9.9
- mint-common version 2.0.6
Fixed versions
Please upgrade to the following versions.
- Linux Mint 19.2 Tina: mintinstall 8.0.0 and mint-common 2.0.7.
- LMDE 3 Cindy: mintinstall 8.0.0 and mint-common 2.0.7.
- Linux Mint 19.1 Tessa: mintinstall 7.9.7.1
- Linux Mint 19 Tara: mintinstall 7.9.5.1
References
https://github.com/linuxmint/mintinstal ... 64b1a048ad
https://github.com/linuxmint/mintcommon ... 62c1ce3570
Re: Security Notice: CVE-2019-17080
Thanks Clem! I just saw them being offered in the Udate Manager. Updating now!
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Re: Security Notice: CVE-2019-17080
Saw that yesterday, but frankly w/e, to exploit that you need to have write access to the user's files, at which point you can just run your code directly, so the real world risk from this is probably as close to zero as it gets. Still +1 for the change to JSON, was hoping you'd end up doing that after the initial fix attempt.
Last edited by gm10 on Fri Oct 04, 2019 8:38 am, edited 1 time in total.
Re: Security Notice: CVE-2019-17080
Done! Thanks for the notice and all of the teams' hard work!
Re: Security Notice: CVE-2019-17080
Thank you for the quick notice and update.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
- Voltron
- Level 2
- Posts: 85
- Joined: Tue Oct 21, 2014 12:48 am
- Location: Indiana University--Bloomington
Re: Security Notice: CVE-2019-17080
As others have stated, I want to forward a huge thanks and much appreciation to Clem and the other Mint developers for their quick and dutiful response to this security issue. It's great to have such expertise and watchful eyes on Mint's code. Thank you, everyone!!!
- Linux-Bill
- Level 3
- Posts: 133
- Joined: Mon Mar 14, 2016 4:19 pm
Re: Security Notice: CVE-2019-17080
Gotta luv Mint!!! Found, mentioned, and fixed!!! And, it didn't take days or weeks filled with faulty updates. Thanks for being there - you folks are what make Linux Mint great!!!
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: Security Notice: CVE-2019-17080
Any problem in 18.3 ??
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: Security Notice: CVE-2019-17080
No, the problematic code was introduced in LM 19.
- Portreve
- Level 13
- Posts: 4882
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Security Notice: CVE-2019-17080
An “unpickle”? Y'know, I've been a technology enthusiast since 1986, and I've heard a lot of interesting terms (I still love the Amiga's iconic “Guru meditation error”) but this is a new one on me.
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Re: Security Notice: CVE-2019-17080
Re: Security Notice: CVE-2019-17080
I'm completely familiar with unpickles. We eat them for breakfast, lunch and dinner every day. *grins, ducks, runs*
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
- Portreve
- Level 13
- Posts: 4882
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Security Notice: CVE-2019-17080
+1
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
- AngryDavid 808
- Level 2
- Posts: 73
- Joined: Sat Sep 28, 2019 7:56 am
- Location: Egypt
Re: Security Notice: CVE-2019-17080
Thank you! Just updated my laptop today!
Linux user since August, 2019.
DEVICE: HP Pavilion dv6-2300 - Win10 + Mint 21 / Intel Core i7 Q720 1.6GHz / 4GB RAM / 256GB Internal SSD + 1TB Toshiba HDD (Caddy used) + 1TB WD Elements External HDD (yeah, I'm kind of a data hoarder) / nVidia GeForce 320M
DEVICE: HP Pavilion dv6-2300 - Win10 + Mint 21 / Intel Core i7 Q720 1.6GHz / 4GB RAM / 256GB Internal SSD + 1TB Toshiba HDD (Caddy used) + 1TB WD Elements External HDD (yeah, I'm kind of a data hoarder) / nVidia GeForce 320M
-
- Level 20
- Posts: 12334
- Joined: Sun Aug 09, 2015 10:00 am
Re: Security Notice: CVE-2019-17080
How to update this? I am running Mint 19.2 Cinnamon with full updates.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
- JoeFootball
- Level 13
- Posts: 4674
- Joined: Tue Nov 24, 2009 1:52 pm
- Location: /home/usa/mn/minneapolis/joe
Re: Security Notice: CVE-2019-17080
Then you're done.deepakdeshp wrote: How to update this? I am running Mint 19.2 Cinnamon with full updates.
Joe
Re: Security Notice: CVE-2019-17080
GREETINGS, THANK YOU FOR THE INFORMATION AND THE WAY THAT DETAILED IT, IT WAS A LOT OF HELP.
-
- Level 20
- Posts: 12334
- Joined: Sun Aug 09, 2015 10:00 am
Re: Security Notice: CVE-2019-17080
Typing all caps is considered as shouting.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Re: Security Notice: CVE-2019-17080
Amiga's iconic “Guru meditation error” ??? wow i thought i was old, nope never heard of it and yes gm10 i can g00gle itgm10 wrote: ⤴Tue Oct 08, 2019 3:54 amBut you can google, can't you?
https://docs.python.org/3/library/pickle.html
BTW @gm10, for those of us that have your ppa is your mint-common 2.2.4~gm10 fixed as well? i'm sure it isit
/it/ pronoun
1. used to refer to a thing previously mentioned or easily identified. "a room with two beds in it"
2. used to identify a person. "it's me"