Guest session clean up can remove other user's files

Bug #953044 reported by Martin Pitt on 2012-03-12
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Undecided
Unassigned
gdm-guest-session (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Marc Deslauriers
Natty
Undecided
Marc Deslauriers
Oneiric
Undecided
Unassigned
lightdm (Ubuntu)
High
Martin Pitt
Oneiric
Undecided
Marc Deslauriers
Precise
High
Martin Pitt

Bug Description

/usr/sbin/guest-account has this cleanup:

  # remove leftovers in /tmp
  find /tmp -mindepth 1 -maxdepth 1 -uid "$UID" | xargs rm -rf || true

This runs with the cwd of the last logged in user. If the user creates a file "/tmp/x a", the file "a" gets removed from the last user's login.

Thanks to Ryan Lortie for discovering this!

Martin Pitt (pitti) wrote :

Same bug in gdm-guest-session. This exists up to oneiric, although it won't work at all in oneiric (we forgot to remove it).

no longer affects: lightdm (Ubuntu Lucid)
no longer affects: lightdm (Ubuntu Maverick)
no longer affects: lightdm (Ubuntu Natty)
no longer affects: gdm-guest-session (Ubuntu Precise)
Martin Pitt (pitti) on 2012-03-12
Changed in lightdm:
assignee: nobody → Martin Pitt (pitti)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdm-guest-session (Ubuntu Lucid):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Maverick):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Natty):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Oneiric):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu):
status: New → Confirmed
Changed in lightdm (Ubuntu Oneiric):
status: New → Confirmed
Martin Pitt (pitti) wrote :

This script is not in lightdm trunk, only in the packaging (/debian/guest-account)

Changed in lightdm:
assignee: Martin Pitt (pitti) → nobody
status: New → Invalid
Martin Pitt (pitti) wrote :

CC'ing Yves-Alexis Perez as he is the Debian maintainer. It only affects testing/unstable (if Debian ships the guest account script at all), so it doesn't need a DSA.

Martin Pitt (pitti) wrote :

Precise debdiff. I did not commit this to the packaging branch yet as this has not been published yet.

Martin Pitt (pitti) wrote :

Argh, the previous attachment was an older version which is broken.

Marc Deslauriers (mdeslaur) wrote :

Debian doesn't seem to ship the guest account script in their lightdm package, so this is likely Ubuntu-specific.

Please wait until I publish updates to the stable release before commiting this.

Thanks!

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0943

Changed in gdm-guest-session (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gdm-guest-session (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gdm-guest-session (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Yves-Alexis Perez (corsac) wrote :

Thanks for the subscription. Indeed, we don't ship guest support (and now I know why)

Martin Pitt (pitti) wrote :

debdiff for oneiric's gdm-guest-session. Should apply well to older versions as well. I also fixed the cleanup in /var/cache/gdm/, although that's not an exploitable vulnerability.

Martin Pitt (pitti) wrote :

Closing precise task of gdm-guest-session, it's gone.

Changed in gdm-guest-session (Ubuntu):
status: Confirmed → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.6

---------------
lightdm (1.0.6-0ubuntu1.6) oneiric-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - debian/guest-account: Use find/xargs with 0 separators instead of
      spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:08:04 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.24ubuntu0.1

---------------
gdm-guest-session (0.24ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:12:10 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.17ubuntu0.1

---------------
gdm-guest-session (0.17ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:16:50 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.15ubuntu0.1

---------------
gdm-guest-session (0.15ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:18:26 -0400

Changed in gdm-guest-session (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in gdm-guest-session (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in gdm-guest-session (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in lightdm (Ubuntu Oneiric):
status: Confirmed → Fix Released
visibility: private → public
Changed in gdm-guest-session (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.1.7-0ubuntu2

---------------
lightdm (1.1.7-0ubuntu2) precise; urgency=low

  * debian/guest-account: Fix arbitrary file deletion in removal of guest
    files in /tmp. Use find/xargs with 0 separators instead of spaces.
    (LP: #953044, CVE-2012-0943)
 -- Martin Pitt <email address hidden> Tue, 13 Mar 2012 14:53:10 +0100

Changed in lightdm (Ubuntu Precise):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers