484590 – (CVE-2013-4331) x11-misc/lightdm : world-readable .Xauthority (CVE-2013-4331)

Bug 484590 (CVE-2013-4331) - x11-misc/lightdm : world-readable .Xauthority (CVE-2013-4331)

Summary: x11-misc/lightdm : world-readable .Xauthority (CVE-2013-4331)

Status:	RESOLVED FIXED

Alias:	CVE-2013-4331

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-09-11 15:46 UTC by Agostino Sarubbo
Modified:	2015-11-09 22:03 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-09-11 15:46:43 UTC

From ${URL} :

lightdm before 1.4.3, 1.6.2 and 1.7.14 created .Xauthority files with
world-readable permissions.

Fixed by the following commits:

1.4.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1571
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1576
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1577

1.6.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1641
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1652
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1653

1.7.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1675
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1780
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1781

Bug reports:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1175023
https://bugs.launchpad.net/lightdm/+bug/685212
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721744


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Markos Chandras (RETIRED) gentoo-dev

2013-09-11 19:49:27 UTC

+*lightdm-1.7.15 (11 Sep 2013)
+*lightdm-1.4.3 (11 Sep 2013)
+*lightdm-1.6.2 (11 Sep 2013)
+
+  11 Sep 2013; Markos Chandras <hwoarang@gentoo.org> +lightdm-1.4.3.ebuild,
+  +lightdm-1.6.2.ebuild, +lightdm-1.7.15.ebuild, -lightdm-1.6.0.ebuild,
+  -lightdm-1.7.7.ebuild, -lightdm-1.7.9.ebuild:
+  Version bump. Bug #484328 and #484590
+

1.4.3 can go stable. 1.6.X and 1.7.X have no stable keywords so they do not need to be stabilized. Last arch please remove the old 1.4.X ebuilds.

Remember, @arm needs to mask 'kde' and 'razor' use flags in their profiles.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2014-02-04 14:03:23 UTC

CVE-2013-4331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4331):
  Light Display Manager (aka LightDM) 1.4.x before 1.4.3, 1.6.x before 1.6.2,
  and 1.7.x before 1.7.14 uses 0664 permissions for the temporary .Xauthority
  file, which allows local users to obtain sensitive information by reading
  the file.

Comment 3 Manuel Rüger (RETIRED) gentoo-dev

2015-08-16 02:27:05 UTC

Vulnerable versions have been removed.

@glsa coordinators: Please vote.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-08-16 19:35:22 UTC

GLSA Vote: No

Comment 5 Stefan Behte (RETIRED) gentoo-dev

2015-11-09 22:03:24 UTC

Vote: NO.