| Name | CVE-2017-15131 |
| Description | It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enterprise Linux. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| xdg-user-dirs (PTS) | bullseye | 0.17-2 | vulnerable |
| sid, trixie, bookworm | 0.18-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| xdg-user-dirs | source | (unstable) | (unfixed) | unimportant | | |
Notes
The CVE relates that created directories by xdg-user-dirs might not
respect a system policy for user created files by setting a umask
system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked
from Xsession scripts. This can be mitigated by e.g. using pam_umask
on session start and having it when xdg-user-dirs is executed.
In Debian xdg-user-dirs starting from 0.15-3 replaces the use of
/etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop
file for user-dirs-update primarly to work as well with Wayland
sessions.
Enforcements can be achieved e.g. by using pam_umask.
http://bugs.freedesktop.org/show_bug.cgi?id=102303