| Summary: | <gnome-base/gdm-3.8.4-r3: TOCTTOU race condition on /tmp/.X11-unix (CVE-2013-4169) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | gnome |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=988498 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 499954, 508854 | ||
| Bug Blocks: | |||
We can't stabilize gdm-3.8 without the rest of gnome-3.8. Alternatively, we can try to apply the same fix as in RHEL 5. Does anyone have access to RHN? Please see what patches got applied in gdm-2.16.0-59.el5_9.1.src.rpm and initscripts-8.45.42-2.el5_9.1.src.rpm (see https://rhn.redhat.com/errata/RHSA-2013-1213.html) (In reply to Alexandre Rostovtsev from comment #1) > Alternatively, we can try to apply the same fix as in RHEL 5. As I can see: > We fixed the problem by having > rc.sysinit pre-create /tmp/.X11-unix at boot, like it does for > /tmp/.ICE-unix (and removing the offending code from GDM). https://bugzilla.redhat.com/attachment.cgi?id=794934 This patch deletes the wrong code, now, you should able to check the difference with the fixed version and the affected. CVE-2013-4169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4169): GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/. we have all the updated ebuilds in the tree for a long time Pacho, In the comments we have "GDM versions < 2.21.1" is vulnerable. The only 2.x in tree is 2.20.11-r1. Please advise in what version this was fixed in so we can go ahead and go to the process of closing this bug. Well, we already have 3.10.x versions in the tree that solves this... but I guess this is blocked by gnome2 removal as we would need to remove vulnerable versions, right? 3.8.4-r3 was stabilized in bug 478252 and fixes this Maintainer(s), Thank you for cleanup! Security please Vote! GLSA Vote = yes GLSA vote: no GLSA vote: no. Closing as [noglsa]. |
From ${URL} : Vladz reported that GDM versions < 2.21.1 were vulnerable to a TOCTTOU (time of check to time of use) flaw in the way that GDM checked for the existence of, and created if missing, the /tmp/.X11-unix/ special directory. A local attacker could use this flaw to overwrite arbitrary file contents via symbolic link attacks or to manipulate the contents of arbitrary files, including those files owned by the root user that would normally be inaccessible. This is because GDM will chown /tmp/.X11-unix to the user and group root, but also changes the permissions to 1777. Newer versions of GDM no longer create the /tmp/.X11-unix/ directory and are thus not vulnerable to this flaw. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.