First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 135027
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: solar <solar@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gdm-CVE-2006-2452.patch gdm-CVE-2006-2452.patch patch solar 2006-05-31 11:48 0000 3.51 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 135027 depends on: Show dependency tree
Show dependency graph
Bug 135027 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-31 04:47 0000 
From:   Brian Cameron <Brian.Cameron@Sun.COM>

A serious exploit in GDM has been found which allows users to access
the GDM configuration screen if they do the following:

1) Select "configure login manager
2) Click on their name in the face browser userlist.
3) type in the personal password instead of the root password.

Then the GDM configuration starts up.

Refer here:

   http://bugzilla.gnome.org/show_bug.cgi?id=343476

I have fixed this bug in the 2.10, 2.12, and 2.14 branches
which correspond to GDM 2.8, 2.12, and 2.14 respectively.  I have
also fixed this problem in CVS head (2.15).

I plan to release new tarballs for all these branches in the next
day or so, but was wondering if you could advise how I should
proceed.  Should the release notes make mention of the seriousness
of the problem, or should the distros be warned about the issue
before it is highlighted in a release note?

Brian

------- Comment #1 From solar 2006-05-31 04:49:19 0000 ------- 
Current keywords:

gdm-2.2.5.4-r5[0]:
gdm-2.8.0.7[0]: ia64
gdm-2.8.0.7-r1[0]: alpha amd64 hppa mips ppc ppc64 sparc x86
gdm-2.14.5[0]: ~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86

Leonardo Boshell <leonardop@gentoo.org> appears to be handling the package
these days.

------- Comment #2 From solar 2006-05-31 11:48:33 0000 ------- 
Created an attachment (id=88014) [edit]
gdm-CVE-2006-2452.patch

This will be CVE-2006-2452

Redhat is requesting 1 week before any public announcments are made regarding
this 
problem. Being it is already in gnome-cvs it however is semi public.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-06-07 12:37:20 0000 ------- 
Leonardo please provide an updated ebuild, and only mention the bug number in
the changelog (until it becomes public).

------- Comment #4 From Leonardo Boshell 2006-06-07 22:01:53 0000 ------- 
gdm-2.8.0.8 and gdm-2.14.8 are now in the tree, released upstream because of
this issue. gdm-2.8.0.8 should be the only ebuild to mark stable by arches at
this point.

By the way, the release announcements made by the developer openly describe the
problem, in case that is significant for you:

http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00007.html
http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00008.html

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-06-07 22:19:52 0000 ------- 
Thx Leornardo, I didn't know that they had just announced this.

Arches please test and mark stable.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-06-07 22:21:23 0000 ------- 
*** Bug 136019 has been marked as a duplicate of this bug. ***

------- Comment #7 From Markus Rothe 2006-06-08 09:13:16 0000 ------- 
stable on ppc64

------- Comment #8 From Gustavo Zacarias (RETIRED) 2006-06-08 12:38:23 0000 ------- 
sparc stable.

------- Comment #9 From Tobias Scherbaum 2006-06-08 14:55:08 0000 ------- 
ppc stable

------- Comment #10 From Joshua Jackson 2006-06-08 22:36:45 0000 ------- 
x86 done ^.^

------- Comment #11 From Thomas Cort (RETIRED) 2006-06-09 16:18:10 0000 ------- 
alpha stable.

------- Comment #12 From René Nussbaumer 2006-06-10 06:12:55 0000 ------- 
stable on hppa

------- Comment #13 From Thomas Cort (RETIRED) 2006-06-11 19:18:26 0000 ------- 
amd64 stable.

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-06-12 13:15:07 0000 ------- 
GLSA 200606-14

ia64 and mips please don't forget to mark stable to benifit from the GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug