Fix privilege escalation vulnerability (CVE-2011-0727)

Bug #746053 reported by Steve Beattie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: gdm

Sebastian Krahmer discovered that GDM did not properly drop privileges
when handling the cache directories used to store users' dmrc and
face icon files. This could allow a local attacker to change the
ownership of arbitrary files, thereby gaining root privileges.

The upcoming USN 1099-1 addresses the issue for karmic, lucid, and maverick (hardy is not affected); this bug is for tracking for natty.

The relevant upstream patch is http://git.gnome.org/browse/gdm/commit/?h=gnome-2-32&id=f2eb8e2b25844d6964129e0232e022995e27e11f

Related branches

CVE References

Steve Beattie (sbeattie)
visibility: private → public
Revision history for this message
Sebastien Bacher (seb128) wrote :

the vcs used is the wrong one but feel free to commit to the correct one and upload to natty if you want

Revision history for this message
Steve Beattie (sbeattie) wrote :

Sebastian, sorry about using the wrong branch. I've adjusted that and linked the corrected branch to this bug report. Thanks for the feedback!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm - 2.32.0-0ubuntu15

---------------
gdm (2.32.0-0ubuntu15) natty; urgency=low

  * SECURITY UPDATE: race condition allowing privilege escalation
    - debian/patches/43_CVE-2011-0727.patch: fix
      daemon/gdm-session-worker.c to copy files as session user rather
      than root followed by a subsequent chown. (LP: #746053)
    - CVE-2011-0727
 -- Steve Beattie <email address hidden> Mon, 04 Apr 2011 20:42:03 -0700

Changed in gdm (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.