New upstream release 3.28.x

Bug #1786933 reported by Iain Lane on 2018-08-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm3 (Ubuntu)
Dariusz Gadomski

Bug Description

[ Description ]

New upstream release in the stable series that bionic is tracking.

[ QA ]

We have a GNOME MRE so upstream's fixes don't need to be explicitly verified.


1. Regular login
2. Auto-login
3. Fast user switching
4. X and Wayland
5. Launching different sessions

[ Regression potential ]

It's the program which logs you in to your session - the consequences could be severe up to and including nobody being able to log in using gdm.

CVE References

Iain Lane (laney) on 2018-08-14
Changed in gdm3 (Ubuntu):
status: New → Fix Released
Changed in gdm3 (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Dariusz Gadomski (dgadomski)

Hello Iain, or anyone else affected,

Accepted gdm3 into bionic-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in gdm3 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Can we have this verified?

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Dariusz Gadomski (dgadomski) wrote :

I have just verified it and don't see any issues.
I tested all use cases listed in the description on metal and in a VM (VirtualBox).

Iain Lane (laney) wrote :

thanks Dariusz!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm3 - 3.28.3-0ubuntu18.04.1

gdm3 (3.28.3-0ubuntu18.04.1) bionic; urgency=medium

  [ Iain Lane ]
  * New upstream release 3.28.3 (LP: #1786933):
    - CVE-2018-14424 - double free fix
      + 0001-display-store-Pass-the-display-object-rather-than-th.patch: Drop.
    - lifecycle fixes to libgdm/GdmClient
    - follow up fixes dealing with login screen reaping form last release
    - allow pam modules to use SIGUSR1 (LP: #1782152)
    - set PWD for user session
    - tell cirrus not to use wayland
  * Drop backported patches included in this release:
    - libgdm-drop-support-for-serializing-multiple-opens.patch
    - libgdm-fix-pointer-boolean-task-confusion.patch
    - libgdm-don-t-keep-manager-proxy-around-longer-than-we-nee.patch
    - libgdm-use-g_object_unref-instead-of-g_clear_object-for-w.patch
    - libgdm-get-connection-explicitly.patch
    - libgdm-Drop-weak-refs-on-the-GDBusConnection.patch
    - libgdm-Unref-the-manager-propagated-from-task.patch
    - libgdm-Don-t-double-ref-the-connection-got-from-task.patch
    - libgdm-Don-t-leak-connection-on-sync-re-authentication.patch
    - libgdm-Use-auto-pointers-and-cleanup-code.patch
    - libgdb-Try-to-reuse-connections-from-the-available-proxie.patch
    - libgdm-Don-t-save-manager-address.patch
    - libgdm-Return-NULL-on-invalid-client-instances.patch
    - daemon-gdm-session-record.c-open-close-the-utmp-database.patch

  [ Alberto Milone ]
  * ubuntu_nvidia_prime.patch:
    - Run scripts for Prime before and after Gdm sessions (LP: #1778011).

 -- Iain Lane <email address hidden> Fri, 17 Aug 2018 16:53:31 +0100

Changed in gdm3 (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for gdm3 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers