DescriptionIt was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xdg-user-dirs (PTS)jessie, stretch0.15-2vulnerable
buster, sid0.17-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


The CVE relates that created directories by xdg-user-dirs might not
respect a system policy for user created files by setting a umask
system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked
from Xsession scripts. This can be mitigated by e.g. using pam_umask
on session start and having it when xdg-user-dirs is executed.
In Debian xdg-user-dirs starting from 0.15-3 replaces the use of
/etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop
file for user-dirs-update primarly to work as well with Wayland
Enforcements can be achieved e.g. by using pam_umask.

Search for package or bug name: Reporting problems