From: Brian Cameron <Brian.Cameron@Sun.COM> A serious exploit in GDM has been found which allows users to access the GDM configuration screen if they do the following: 1) Select "configure login manager 2) Click on their name in the face browser userlist. 3) type in the personal password instead of the root password. Then the GDM configuration starts up. Refer here: http://bugzilla.gnome.org/show_bug.cgi?id=343476 I have fixed this bug in the 2.10, 2.12, and 2.14 branches which correspond to GDM 2.8, 2.12, and 2.14 respectively. I have also fixed this problem in CVS head (2.15). I plan to release new tarballs for all these branches in the next day or so, but was wondering if you could advise how I should proceed. Should the release notes make mention of the seriousness of the problem, or should the distros be warned about the issue before it is highlighted in a release note? Brian
Current keywords: gdm-2.2.5.4-r5[0]: gdm-2.8.0.7[0]: ia64 gdm-2.8.0.7-r1[0]: alpha amd64 hppa mips ppc ppc64 sparc x86 gdm-2.14.5[0]: ~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 Leonardo Boshell <leonardop@gentoo.org> appears to be handling the package these days.
Created attachment 88014 [details, diff] gdm-CVE-2006-2452.patch This will be CVE-2006-2452 Redhat is requesting 1 week before any public announcments are made regarding this problem. Being it is already in gnome-cvs it however is semi public.
Leonardo please provide an updated ebuild, and only mention the bug number in the changelog (until it becomes public).
gdm-2.8.0.8 and gdm-2.14.8 are now in the tree, released upstream because of this issue. gdm-2.8.0.8 should be the only ebuild to mark stable by arches at this point. By the way, the release announcements made by the developer openly describe the problem, in case that is significant for you: http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00007.html http://mail.gnome.org/archives/gnome-announce-list/2006-June/msg00008.html
Thx Leornardo, I didn't know that they had just announced this. Arches please test and mark stable.
*** Bug 136019 has been marked as a duplicate of this bug. ***
stable on ppc64
sparc stable.
ppc stable
x86 done ^.^
alpha stable.
stable on hppa
amd64 stable.
GLSA 200606-14 ia64 and mips please don't forget to mark stable to benifit from the GLSA.