From ${URL} : lightdm before 1.4.3, 1.6.2 and 1.7.14 created .Xauthority files with world-readable permissions. Fixed by the following commits: 1.4.x: http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1571 http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1576 http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1577 1.6.x: http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1641 http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1652 http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1653 1.7.x: http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1675 http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1780 http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1781 Bug reports: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1175023 https://bugs.launchpad.net/lightdm/+bug/685212 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721744 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*lightdm-1.7.15 (11 Sep 2013) +*lightdm-1.4.3 (11 Sep 2013) +*lightdm-1.6.2 (11 Sep 2013) + + 11 Sep 2013; Markos Chandras <hwoarang@gentoo.org> +lightdm-1.4.3.ebuild, + +lightdm-1.6.2.ebuild, +lightdm-1.7.15.ebuild, -lightdm-1.6.0.ebuild, + -lightdm-1.7.7.ebuild, -lightdm-1.7.9.ebuild: + Version bump. Bug #484328 and #484590 + 1.4.3 can go stable. 1.6.X and 1.7.X have no stable keywords so they do not need to be stabilized. Last arch please remove the old 1.4.X ebuilds. Remember, @arm needs to mask 'kde' and 'razor' use flags in their profiles.
CVE-2013-4331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4331): Light Display Manager (aka LightDM) 1.4.x before 1.4.3, 1.6.x before 1.6.2, and 1.7.x before 1.7.14 uses 0664 permissions for the temporary .Xauthority file, which allows local users to obtain sensitive information by reading the file.
Vulnerable versions have been removed. @glsa coordinators: Please vote.
GLSA Vote: No
Vote: NO.