Security update for accountsservice SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3625-1 Final 1 1 2018-11-05T16:56:21Z current 2018-11-05T16:56:21Z 2018-11-05T16:56:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for accountsservice This update for accountsservice fixes the following issues: This security issue was fixed: - CVE-2018-14036: Prevent directory traversal caused by an insufficient path check in user_change_icon_file_authorized_cb() (bsc#1099699) Thsese non-security issues were fixed: - Don't abort loading users when an /etc/shadow entry is missing. (bsc#1090003) - When user session type is wayland, act_user_is_logged_in can return TRUE if the user is logged in. (bsc#1095918) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Desktop-Applications-15-2018-2579 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183625-1/ Link for SUSE-SU-2018:3625-1 https://lists.suse.com/pipermail/sle-security-updates/2018-November/004832.html E-Mail link for SUSE-SU-2018:3625-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1090003 SUSE Bug 1090003 https://bugzilla.suse.com/1095918 SUSE Bug 1095918 https://bugzilla.suse.com/1099699 SUSE Bug 1099699 https://www.suse.com/security/cve/CVE-2018-14036/ SUSE CVE CVE-2018-14036 page SUSE Linux Enterprise Module for Desktop Applications 15 accountsservice-0.6.45-6.7.6 accountsservice-devel-0.6.45-6.7.6 accountsservice-lang-0.6.45-6.7.6 libaccountsservice0-0.6.45-6.7.6 typelib-1_0-AccountsService-1_0-0.6.45-6.7.6 accountsservice-0.6.45-6.7.6 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 accountsservice-devel-0.6.45-6.7.6 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 accountsservice-lang-0.6.45-6.7.6 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 libaccountsservice0-0.6.45-6.7.6 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-AccountsService-1_0-0.6.45-6.7.6 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c. CVE-2018-14036 SUSE Linux Enterprise Module for Desktop Applications 15:accountsservice-0.6.45-6.7.6 SUSE Linux Enterprise Module for Desktop Applications 15:accountsservice-devel-0.6.45-6.7.6 SUSE Linux Enterprise Module for Desktop Applications 15:accountsservice-lang-0.6.45-6.7.6 SUSE Linux Enterprise Module for Desktop Applications 15:libaccountsservice0-0.6.45-6.7.6 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-AccountsService-1_0-0.6.45-6.7.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183625-1/ https://www.suse.com/security/cve/CVE-2018-14036.html CVE-2018-14036 https://bugzilla.suse.com/1099699 SUSE Bug 1099699 https://bugzilla.suse.com/1101332 SUSE Bug 1101332 https://bugzilla.suse.com/1112694 SUSE Bug 1112694