Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 484590 (CVE-2013-4331)

Summary: x11-misc/lightdm : world-readable .Xauthority (CVE-2013-4331)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hwoarang
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/09/11/4
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Comment 1 Markos Chandras (RETIRED) gentoo-dev 2013-09-11 19:49:27 UTC 
+*lightdm-1.7.15 (11 Sep 2013)
+*lightdm-1.4.3 (11 Sep 2013)
+*lightdm-1.6.2 (11 Sep 2013)
+
+  11 Sep 2013; Markos Chandras <hwoarang@gentoo.org> +lightdm-1.4.3.ebuild,
+  +lightdm-1.6.2.ebuild, +lightdm-1.7.15.ebuild, -lightdm-1.6.0.ebuild,
+  -lightdm-1.7.7.ebuild, -lightdm-1.7.9.ebuild:
+  Version bump. Bug #484328 and #484590
+

1.4.3 can go stable. 1.6.X and 1.7.X have no stable keywords so they do not need to be stabilized. Last arch please remove the old 1.4.X ebuilds.

Remember, @arm needs to mask 'kde' and 'razor' use flags in their profiles.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:03:23 UTC 
CVE-2013-4331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4331):
  Light Display Manager (aka LightDM) 1.4.x before 1.4.3, 1.6.x before 1.6.2,
  and 1.7.x before 1.7.14 uses 0664 permissions for the temporary .Xauthority
  file, which allows local users to obtain sensitive information by reading
  the file.
Comment 3 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-08-16 02:27:05 UTC 
Vulnerable versions have been removed.

@glsa coordinators: Please vote.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-08-16 19:35:22 UTC 
GLSA Vote: No
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:03:24 UTC 
Vote: NO.