Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135027 - gnome-base/gdm GDM issue (CVE-2006-2452)
Summary: gnome-base/gdm GDM issue (CVE-2006-2452)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard: A1? [glsa] jaervosz
Keywords:
: 136019 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-05-31 04:47 UTC by solar (RETIRED)
Modified: 2019-12-22 11:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gdm-CVE-2006-2452.patch (gdm-CVE-2006-2452.patch,3.51 KB, patch)
2006-05-31 11:48 UTC, solar (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description solar (RETIRED) gentoo-dev 2006-05-31 04:47:20 UTC
From: 	Brian Cameron <Brian.Cameron@Sun.COM>

A serious exploit in GDM has been found which allows users to access
the GDM configuration screen if they do the following:

1) Select "configure login manager
2) Click on their name in the face browser userlist.
3) type in the personal password instead of the root password.

Then the GDM configuration starts up.

Refer here:

   http://bugzilla.gnome.org/show_bug.cgi?id=343476

I have fixed this bug in the 2.10, 2.12, and 2.14 branches
which correspond to GDM 2.8, 2.12, and 2.14 respectively.  I have
also fixed this problem in CVS head (2.15).

I plan to release new tarballs for all these branches in the next
day or so, but was wondering if you could advise how I should
proceed.  Should the release notes make mention of the seriousness
of the problem, or should the distros be warned about the issue
before it is highlighted in a release note?

Brian
Comment 1 solar (RETIRED) gentoo-dev 2006-05-31 04:49:19 UTC
Current keywords:

gdm-2.2.5.4-r5[0]:
gdm-2.8.0.7[0]: ia64
gdm-2.8.0.7-r1[0]: alpha amd64 hppa mips ppc ppc64 sparc x86
gdm-2.14.5[0]: ~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86

Leonardo Boshell <leonardop@gentoo.org> appears to be handling the package these days.
Comment 2 solar (RETIRED) gentoo-dev 2006-05-31 11:48:33 UTC
Created attachment 88014 [details, diff]
gdm-CVE-2006-2452.patch

This will be CVE-2006-2452

Redhat is requesting 1 week before any public announcments are made regarding this 
problem. Being it is already in gnome-cvs it however is semi public.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 12:37:20 UTC
Leonardo please provide an updated ebuild, and only mention the bug number in the changelog (until it becomes public).
Comment 4 Leonardo Boshell (RETIRED) gentoo-dev 2006-06-07 22:01:53 UTC
gdm-2.8.0.8 and gdm-2.14.8 are now in the tree, released upstream because of this issue. gdm-2.8.0.8 should be the only ebuild to mark stable by arches at this point.

By the way, the release announcements made by the developer openly describe the problem, in case that is significant for you:

http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00007.html
http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00008.html
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 22:19:52 UTC
Thx Leornardo, I didn't know that they had just announced this.

Arches please test and mark stable.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 22:21:23 UTC
*** Bug 136019 has been marked as a duplicate of this bug. ***
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2006-06-08 09:13:16 UTC
stable on ppc64
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-08 12:38:23 UTC
sparc stable.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-08 14:55:08 UTC
ppc stable
Comment 10 Joshua Jackson (RETIRED) gentoo-dev 2006-06-08 22:36:45 UTC
x86 done ^.^
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-06-09 16:18:10 UTC
alpha stable.
Comment 12 René Nussbaumer (RETIRED) gentoo-dev 2006-06-10 06:12:55 UTC
stable on hppa
Comment 13 Thomas Cort (RETIRED) gentoo-dev 2006-06-11 19:18:26 UTC
amd64 stable.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-12 13:15:07 UTC
GLSA 200606-14

ia64 and mips please don't forget to mark stable to benifit from the GLSA.