The Deepin team in Spanish has detected a serious security hole in Deepin 20.2.2, Which was released last Monday June 28 (June 29 in China). This flaw has been reported to the Deepin development team and they are working on a solution, although they have not notified when they will publish this solution.
But given the severity of the flaw, we have taken the initiative to work out a solution in the meantime.
WHAT DOES THE FAULT CONSIST OF?
Checking the permissions of the system files, we detect that the files of the system kernel 5.10.36 and 5.12.9, published in Deepin 20.2.2, are owned by the desktop user. This allows any attacker, even without access to the superuser, to modify the files and folders of the kernel, having the possibility to delete files essential for the operation of the kernel and the entire system, going through replacing files with files with malware, to inject malicious code, gaining complete control of the system.
We also confirm that this failure not only affects systems that update from previous versions of Deepin, but also affects installations from scratch made with the Deepin ISO 20.2.2.
The cause of this problem is the improper packaging of the linux-image-5.10.36-amd64-desktop and linux-image-5.12.9-amd64-desktop packages used to install the kernel.
The solution that the Deepin in Spanish team has chosen is to look for the files of the kernel with the desktop user as the owner, and correct the permissions to the GNU / Linux standard, assigned as owner to the user and group to root, so that only the superuser can modify them.
Applying this solution is very simple, simply install the "deepines-security-patch" package from the Deepines Store. Using the search box, search for "deepines" and in the results you can easily select it to install it.
You can also install "deepines-security-patch" from the terminal by executing the following command.
sudo apt update && sudo apt install deepines-security-patch
If you have not yet installed the Deepines Store, then we provide the download button.
We sincerely hope that this type of failure does not happen again, it is quite disappointing that this has happened, Wuhan Deepin Technology must improve its quality controls substantially.
It is a blow to the trust of the users, and although Deepin, as a private company, generously gives away its software to the community, allowing us to enjoy a nice and easy-to-use desktop and applications for free; As a community, our contribution is to help improve this software by providing feedback and offering solutions within our possibilities, that includes indicating faults and demanding good quality, from aesthetics to safety, but always in the spirit of building together.