Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 187919 - gnome-base/gdm Denial of Service (CVE-2007-3381)
Summary: gnome-base/gdm Denial of Service (CVE-2007-3381)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26313/
Whiteboard: A3 [glsa] p-y
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-06 14:02 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2020-04-03 06:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-06 14:02:30 UTC 
A vulnerability has been discovered in GNOME Display Manager, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the GDM daemon improperly handling NULL values returned by the "g_strsplit" function. This can be exploited to crash the GNOME Display Manager by sending specially crafted requests to the local GDM socket.

The vulnerability is confirmed in version 2.16.0-10-fc6 on Fedora 6 and also reported in versions prior to 2.14.13, 2.16.7, 2.18.4 and 2.19.5.

Solution:
Update to version 2.14.13, 2.16.7, or 2.18.4.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-06 14:04:37 UTC 
setting status and cc'ing. gnome, please advise and bump as necessary.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2007-08-06 16:22:43 UTC 
2.16, 2.18 and 2.19 bumped.

I think the procedure is to fasttrack stabilisation of 2.16.7.

2.18 is going stable soon, I'll add a comment on the relevant bug number to inform arches. This is also why 2.14 is not taken care of. leio informed me 2.14 should be out of the tree by the end of the week (correct me if I'm wrong).
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-06 17:06:14 UTC 
Thanks for the info Gilles.
arches, please test and mark stable gnome-base/gdm-2.16.7.
target keywords are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86 ~x86-fbsd
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-06 17:40:21 UTC 
Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in bug 185823.
Comment 5 Mart Raudsepp gentoo-dev 2007-08-06 19:55:55 UTC 
(In reply to comment #4)
> Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in
> bug 185823.

We would appreciate a non-vulnerable 2.16 version as well, so that we can clean up all the vulnerable versions. That's because we, the Gnome team, keep two versions of Gnome release cycle around in stable, hence 2.16 isn't going away before 2.20 is going stable.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-07 08:55:31 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Is this stabilisation needed?  Gnome team requested stabilisation of 2.18.4 in
> > bug 185823.
> We would appreciate a non-vulnerable 2.16 version as well, so that we can clean
> up all the vulnerable versions. That's because we, the Gnome team, keep two
> versions of Gnome release cycle around in stable, hence 2.16 isn't going away
> before 2.20 is going stable.

 As you wish...x86 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-07 12:27:26 UTC 
sparc stable.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-08-07 14:12:38 UTC 
ppc64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-07 20:37:43 UTC 
ppc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-08-09 11:05:03 UTC 
alpha/ia64 stable
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-08-11 15:14:43 UTC 
amd64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-15 00:44:17 UTC 
Stable for HPPA.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-18 21:43:29 UTC 
GLSA 200709-11, thanks everybody