Bug 361217 (CVE-2011-0727)

Summary:	>=gnome-base/gdm-2.28.0, <gnome-base/gdm-2.32.1: Local root exploit (CVE-2011-0727)
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	critical	CC:	gnome
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://mail.gnome.org/archives/gdm-list/2011-March/msg00020.html
Whiteboard:	A1 [noglsa]
Package list:		Runtime testing required:	---

Description Tim Sammut (RETIRED) gentoo-dev

2011-03-30 03:29:02 UTC

From $URL:

The 2.32.1 release is a security bug fix release of the GNOME Display Manager
(GDM) program with the following fixes:

- CVE-2011-0727 - Change to user before copying user files to prevent
local root exploit

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2011-03-30 03:30:54 UTC

Fixed gnome-base/gdm-2.32.1 is already in the tree, thanks, folks.

@gnome, can/should we stabilize that version?

Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev

2011-03-30 08:28:04 UTC

gdm > 2.24 has always been masked. Unless this CVE applies to gdm-2.20 as well (haven't checked but probably not), there is no need to stabilize anything.

Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev

2011-03-30 08:33:38 UTC

This definitely does not apply to us, since >2.21 gdm versions are all masked, 2.20.11 (current stable) doesn't have any such thing, and 2.22 was a complete rewrite of the code.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-03-30 13:48:54 UTC

Ok, thanks, folks. According to http://git.gnome.org/browse/gdm/tree/NEWS this feature was added in 2.28.0.

(In reply to comment #2)
> gdm > 2.24 has always been masked. 

Resolving as invalid since we've never had vulnerable versions unmasked.