661510 – (CVE-2018-14345) <x11-misc/sddm-0.18.0: Privilege Escalation via dbus-daemon

Bug 661510 (CVE-2018-14345) - <x11-misc/sddm-0.18.0: Privilege Escalation via dbus-daemon

Summary: <x11-misc/sddm-0.18.0: Privilege Escalation via dbus-daemon

Status:	RESOLVED FIXED

Alias:	CVE-2018-14345

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/sddm/sddm/releases...
Whiteboard:	B3 [noglsa cve]
Keywords:	PMASKED

Depends on:
Blocks:

Reported:	2018-07-18 14:18 UTC by Manuel Rüger (RETIRED)
Modified:	2022-04-01 23:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Rüger (RETIRED) gentoo-dev

2018-07-18 14:18:30 UTC

An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.

Comment 1 Larry the Git Cow gentoo-dev

2018-07-22 11:21:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae159450bf401ffa9651ce243e8c12ca088e127b

commit ae159450bf401ffa9651ce243e8c12ca088e127b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-07-21 21:07:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-07-22 11:21:17 +0000

    x11-misc/sddm: 0.18.0 version bump
    
    Bug: https://bugs.gentoo.org/661510
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 x11-misc/sddm/Manifest                            |  1 +
 x11-misc/sddm/files/sddm-0.18.0-Xsession.patch    | 24 ++++++
 x11-misc/sddm/files/sddm-0.18.0-sddmconfdir.patch | 32 ++++++++
 x11-misc/sddm/sddm-0.18.0.ebuild                  | 96 +++++++++++++++++++++++
 4 files changed, 153 insertions(+)

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2018-07-26 13:44:42 UTC

Adding arches

Comment 3 Mikle Kolyada (RETIRED) archtester

2018-07-26 21:44:42 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-07-28 13:45:51 UTC

x86 stable

Comment 5 Larry the Git Cow gentoo-dev

2018-11-13 21:30:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e996d8c5d2e1f27ad0eceed39173e46039c8a5b

commit 5e996d8c5d2e1f27ad0eceed39173e46039c8a5b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-13 15:29:54 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-13 21:30:42 +0000

    x11-misc/sddm: Drop vulnerable 0.17.0-r4
    
    Bug: https://bugs.gentoo.org/661510
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 x11-misc/sddm/Manifest                             |  1 -
 x11-misc/sddm/files/sddm-0.16.0-Xsession.patch     | 24 -------
 x11-misc/sddm/files/sddm-0.17.0-consolekit.patch   | 22 ------
 x11-misc/sddm/files/sddm-0.17.0-logind-race.patch  | 26 -------
 .../files/sddm-0.17.0-switchtogreeter-r1.patch     | 54 --------------
 x11-misc/sddm/sddm-0.17.0-r4.ebuild                | 84 ----------------------
 6 files changed, 211 deletions(-)

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2018-11-25 01:54:54 UTC

@Andreas, what about 0.15.0 here?

Comment 7 Larry the Git Cow gentoo-dev

2018-11-25 19:28:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2196a02524145987ac3f6dd1b62e8c2c73279e0

commit e2196a02524145987ac3f6dd1b62e8c2c73279e0
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-25 19:26:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-25 19:28:28 +0000

    profiles: Mask vulnerable <x11-misc/sddm-0.18.0
    
    Bug: https://bugs.gentoo.org/661510
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2019-03-10 04:15:32 UTC

(In reply to Larry the Git Cow from comment #7)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=e2196a02524145987ac3f6dd1b62e8c2c73279e0
> 
> commit e2196a02524145987ac3f6dd1b62e8c2c73279e0
> Author:     Andreas Sturmlechner <asturm@gentoo.org>
> AuthorDate: 2018-11-25 19:26:32 +0000
> Commit:     Andreas Sturmlechner <asturm@gentoo.org>
> CommitDate: 2018-11-25 19:28:28 +0000
> 
>     profiles: Mask vulnerable <x11-misc/sddm-0.18.0
>     
>     Bug: https://bugs.gentoo.org/661510
>     Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
> 
>  profiles/package.mask | 5 +++++
>  1 file changed, 5 insertions(+)

Andreas, can this be dropped yet?

Comment 9 Andreas Sturmlechner gentoo-dev

2019-03-10 13:29:32 UTC

Unfortunately not. It is masked, anyway.

Comment 10 NATTkA bot gentoo-dev

2020-04-06 15:21:18 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: x11-misc/sddm-0.18.0

Comment 11 John Helmert III archtester

2020-06-23 02:33:44 UTC

Can sddm-0.15.0 be dropped now? 0.18.1-r1 has been stabilized since this bug was last touched by a human.

Comment 12 Andreas Sturmlechner gentoo-dev

2020-06-23 17:08:15 UTC

(In reply to John Helmert III (ajak) from comment #11)
> Can sddm-0.15.0 be dropped now? 0.18.1-r1 has been stabilized since this bug
> was last touched by a human.

First need to produce a version that works for those depending on 0.15.

Comment 13 NATTkA bot gentoo-dev

2021-04-01 20:13:33 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: x11-misc/sddm-0.18.0

Comment 14 NATTkA bot gentoo-dev

2021-04-01 21:05:22 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 15 John Helmert III archtester

2021-06-12 13:25:36 UTC

(In reply to Andreas Sturmlechner from comment #12)
> (In reply to John Helmert III (ajak) from comment #11)
> > Can sddm-0.15.0 be dropped now? 0.18.1-r1 has been stabilized since this bug
> > was last touched by a human.
> 
> First need to produce a version that works for those depending on 0.15.

Is there a bug against the newer versions?

Comment 16 John Helmert III archtester

2021-07-25 20:22:22 UTC

Ping.

Comment 17 Andreas Sturmlechner gentoo-dev

2022-04-01 18:25:41 UTC

Oh, cleanup done in commit 4358362c18fef2411b0053d9556745e749d3afdd.

kde proj out.