Fix privilege escalation vulnerability (CVE-2011-0727)

Bug #746053 reported by Steve Beattie on 2011-03-30
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: gdm

Sebastian Krahmer discovered that GDM did not properly drop privileges
when handling the cache directories used to store users' dmrc and
face icon files. This could allow a local attacker to change the
ownership of arbitrary files, thereby gaining root privileges.

The upcoming USN 1099-1 addresses the issue for karmic, lucid, and maverick (hardy is not affected); this bug is for tracking for natty.

The relevant upstream patch is http://git.gnome.org/browse/gdm/commit/?h=gnome-2-32&id=f2eb8e2b25844d6964129e0232e022995e27e11f

Related branches

CVE References

Steve Beattie (sbeattie) on 2011-03-30
visibility: private → public
Sebastien Bacher (seb128) wrote :

the vcs used is the wrong one but feel free to commit to the correct one and upload to natty if you want

Steve Beattie (sbeattie) wrote :

Sebastian, sorry about using the wrong branch. I've adjusted that and linked the corrected branch to this bug report. Thanks for the feedback!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm - 2.32.0-0ubuntu15

---------------
gdm (2.32.0-0ubuntu15) natty; urgency=low

  * SECURITY UPDATE: race condition allowing privilege escalation
    - debian/patches/43_CVE-2011-0727.patch: fix
      daemon/gdm-session-worker.c to copy files as session user rather
      than root followed by a subsequent chown. (LP: #746053)
    - CVE-2011-0727
 -- Steve Beattie <email address hidden> Mon, 04 Apr 2011 20:42:03 -0700

Changed in gdm (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers