First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 187919
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 187919 depends on: Show dependency tree
Show dependency graph
Bug 187919 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-06 14:02 0000 
A vulnerability has been discovered in GNOME Display Manager, which can be
exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the GDM daemon improperly handling NULL
values returned by the "g_strsplit" function. This can be exploited to crash
the GNOME Display Manager by sending specially crafted requests to the local
GDM socket.

The vulnerability is confirmed in version 2.16.0-10-fc6 on Fedora 6 and also
reported in versions prior to 2.14.13, 2.16.7, 2.18.4 and 2.19.5.

Solution:
Update to version 2.14.13, 2.16.7, or 2.18.4.

------- Comment #1 From Pierre-Yves Rofes 2007-08-06 14:04:37 0000 ------- 
setting status and cc'ing. gnome, please advise and bump as necessary.

------- Comment #2 From Gilles Dartiguelongue 2007-08-06 16:22:43 0000 ------- 
2.16, 2.18 and 2.19 bumped.

I think the procedure is to fasttrack stabilisation of 2.16.7.

2.18 is going stable soon, I'll add a comment on the relevant bug number to
inform arches. This is also why 2.14 is not taken care of. leio informed me
2.14 should be out of the tree by the end of the week (correct me if I'm
wrong).

------- Comment #3 From Pierre-Yves Rofes 2007-08-06 17:06:14 0000 ------- 
Thanks for the info Gilles.
arches, please test and mark stable gnome-base/gdm-2.16.7.
target keywords are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86
~x86-fbsd

------- Comment #4 From Christian Faulhammer 2007-08-06 17:40:21 0000 ------- 
Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in
bug 185823.

------- Comment #5 From Mart Raudsepp 2007-08-06 19:55:55 0000 ------- 
(In reply to comment #4)
> Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in
> bug 185823.

We would appreciate a non-vulnerable 2.16 version as well, so that we can clean
up all the vulnerable versions. That's because we, the Gnome team, keep two
versions of Gnome release cycle around in stable, hence 2.16 isn't going away
before 2.20 is going stable.

------- Comment #6 From Christian Faulhammer 2007-08-07 08:55:31 0000 ------- 
(In reply to comment #5)
> (In reply to comment #4)
> > Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in
> > bug 185823.
> We would appreciate a non-vulnerable 2.16 version as well, so that we can clean
> up all the vulnerable versions. That's because we, the Gnome team, keep two
> versions of Gnome release cycle around in stable, hence 2.16 isn't going away
> before 2.20 is going stable.

 As you wish...x86 stable

------- Comment #7 From Gustavo Zacarias (RETIRED) 2007-08-07 12:27:26 0000 ------- 
sparc stable.

------- Comment #8 From Markus Rothe 2007-08-07 14:12:38 0000 ------- 
ppc64 stable

------- Comment #9 From Tobias Scherbaum 2007-08-07 20:37:43 0000 ------- 
ppc stable

------- Comment #10 From Raúl Porcel 2007-08-09 11:05:03 0000 ------- 
alpha/ia64 stable

------- Comment #11 From Steve Dibb 2007-08-11 15:14:43 0000 ------- 
amd64 stable

------- Comment #12 From Jeroen Roovers 2007-08-15 00:44:17 0000 ------- 
Stable for HPPA.

------- Comment #13 From Raphael Marichez 2007-09-18 21:43:29 0000 ------- 
GLSA 200709-11, thanks everybody
First Last Prev Next    No search results available      Search page      Enter new bug