CVE-2017-15131

Published: 09 January 2018

It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
xdg-user-dirs
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)

Notes

AuthorNote
seth-arnold
This feels like a fundamental misunderstanding of Unix model to
assume that every task run on behalf of a user will be started as a child
process of bash or sh run as an interactive or login shell.
Environments that want a specific umask set for users should use
the pam_umask(8) module as part of the login process.
Environments that need a specific umask set for compliance reasons
should investigate the feasibility of preparing a single-purpose LSM or
seccomp jail interface of some sort.

References