Summary: | x11-misc/lightdm: Privilege escalation vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Andrey Ovcharov <sudormrfhalt> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | minor | CC: | hwoarang, polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [cve] | ||
Package list: | Runtime testing required: | --- |
Description
Andrey Ovcharov
2017-07-14 12:05:15 UTC
I suspect we don't install either guest-account.sh (from debian specific directory) nor have the AppArmor restrictions in place that CVE-2017-8900 bypasses, but will leave bug open in case maintainers have comments. https://www.ubuntu.com/usn/usn-3285-1/: Details Tyler Hicks discovered that LightDM did not confine the user session for guest users. An attacker with physical access could use this issue to access files and other resources that they should not be able to access. In the default installation, this includes files in the home directories of other users on the system. This update fixes the issue by disabling the guest session. It may be re-enabled in a future update. Please see the bug referenced below for instructions on how to manually re-enable the guest session. Following up, is this still valid? Ubuntu mentions lightdm-1.22.0 and lightdm-1.19.5 while we have 1.26.0 stable. So I'd say this bug is obsolete. |