Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497538 (CVE-2014-0979) - <x11-misc/lightdm-gtk-greeter-1.9.0: local DoS due to NULL pointer dereference (CVE-2014-0979)
Summary: <x11-misc/lightdm-gtk-greeter-1.9.0: local DoS due to NULL pointer dereferenc...
Status: RESOLVED FIXED
Alias: CVE-2014-0979
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-08 16:19 UTC by Agostino Sarubbo
Modified: 2016-07-05 21:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-08 16:19:38 UTC
From ${URL} :

lightdm-gtk was found to be affected by a vulnerability, which causes it to crash with no username entered 
and hitting the ENTER.

The issue seems to be a local DoS due to NULL pointer dereference, which can be triggered by any 
unprivileged attacker requiring the intervention of an administrator to restart lightdm. When a greeter 
crashes the lightdm daemon exits.

References:
http://seclists.org/oss-sec/2014/q1/30
https://bugzilla.novell.com/show_bug.cgi?id=857303


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:34:09 UTC
CVE-2014-0979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0979):
  The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+
  Greeter before 1.7.1 does not properly handle the return value from the
  lightdm_greeter_get_authentication_user function, which allows local users
  to cause a denial of service (NULL pointer dereference) via an empty
  username.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2015-08-16 02:22:38 UTC
@maintainer: Please stabilize a fixed version and remove the vulnerable versions.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 05:00:18 UTC
Devaway... and newer version is already stabilized.  Removing vulnerable ebuilds:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=897bc831db8078bac097f66d2dfca520be4ff99e


GLSA Vote: No
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 05:26:01 UTC
Missed the arm keyword:

@arm, please stabilize:

=x11-misc/lightdm-gtk-greeter-2.0.1-r1
Comment 5 Markus Meier gentoo-dev 2016-07-05 21:00:40 UTC
arm stable, all arches done.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-07-05 21:42:57 UTC
vulnerable versions dropped.