|Description||It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|xdg-user-dirs (PTS)||jessie, stretch||0.15-2||vulnerable|
|bullseye, sid, buster||0.17-2||vulnerable|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
The CVE relates that created directories by xdg-user-dirs might not
respect a system policy for user created files by setting a umask
system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked
from Xsession scripts. This can be mitigated by e.g. using pam_umask
on session start and having it when xdg-user-dirs is executed.
In Debian xdg-user-dirs starting from 0.15-3 replaces the use of
/etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop
file for user-dirs-update primarly to work as well with Wayland
Enforcements can be achieved e.g. by using pam_umask.