Ubuntu
ldm package

ldm 2.2.x (using wwm) contains a keybinding allowing the user to get a root shell

  1. Natty (11.04)
  2. Bug #953340
Bug #953340 reported by Stéphane Graber
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ldm (Ubuntu)
Fix Released
High
Stéphane Graber
Natty
Fix Released
High
Marc Deslauriers
Oneiric
Fix Released
High
Marc Deslauriers
Precise
Fix Released
High
Stéphane Graber

Bug Description

Starting with ldm 2.2.x upstream switched to wwm as a minimal window manager for ldm, though it only recently was discovered that it ships with a keybinding allowing to spawn an xterm.

As the ldm greeter runs as root, this essentially allows for a passwordless root shell to be spawned on any LTSP thin client since Ubuntu 11.04.

While definitely quite bad, it's not horribly bad as all thin clients are booted from the network with their filesystem downloaded cleartext from the network, we already consider them as non secure machines to start with.
The fix upstream is to turn off all the keybindings in wwm as it was meant to be from the beginning.

I commited the bugfix upstream and we'll release a new version today for upload to Debian and sync into Precise.

I'm going to provide two debdiffs in the next few minutes cherry-picking the fix for Ubuntu 11.04 and 11.10.

For the record, the keybinding is KP_RETURN. Easiest way to trigger it is by doing alt+enter or switching to the second workspace (alt+2) then simply pressing enter.

The original reporter for this security issue is "Tenho Tuhkala" with the bug tracked down and fixed by me.

See original description
Tags: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This was publically discussed here:

http://irclogs.ltsp.org/?d=2012-03-12

Fix is here:

http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/revision/1419

Revision history for this message
Stéphane Graber (stgraber) wrote :
Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Stéphane Graber (stgraber) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Requested CVE:

http://www.openwall.com/lists/oss-security/2012/03/12/5

Changed in ldm (Ubuntu Natty):
status: New → Confirmed
Changed in ldm (Ubuntu Oneiric):
status: New → Confirmed
Changed in ldm (Ubuntu Precise):
status: New → Confirmed
assignee: nobody → Stéphane Graber (stgraber)
Changed in ldm (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ldm (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ldm (Ubuntu Natty):
importance: Undecided → High
Changed in ldm (Ubuntu Oneiric):
importance: Undecided → High
Changed in ldm (Ubuntu Precise):
importance: Undecided → High
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Stéphane Graber (stgraber)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote :

Official LTSP announcement: http://sourceforge.net/mailarchive/message.php?msg_id=28970868

Revision history for this message
Stéphane Graber (stgraber) wrote :

ldm 2.2.7 has been uploaded to Debian, waiting for it to be available for a sync in Precise.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ldm - 2:2.2.1-0ubuntu1.1

---------------
ldm (2:2.2.1-0ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: root shell via default keyboard bindings (LP: #953340)
    - debian/patches/CVE-2012-1166.patch: Remove all keybindings in
      wwm/main.c.
    - CVE-2012-1166
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 16:36:05 -0400

Changed in ldm (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ldm - 2:2.2.4-0ubuntu1.1

---------------
ldm (2:2.2.4-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: root shell via default keyboard bindings (LP: #953340)
    - debian/patches/CVE-2012-1166.patch: Remove all keybindings in
      wwm/main.c.
    - CVE-2012-1166
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 16:39:15 -0400

Changed in ldm (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote :

Synced 2.2.7 with the bugfix to Precise.

Changed in ldm (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.