Summary: | <gnome-base/gdm-3.22.3-r1: lock screen can be circumvented when autologin is set | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Díaz Riveros (RETIRED) <chrisadr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12164 | ||
Whiteboard: | ~4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Christopher Díaz Riveros (RETIRED)
2017-09-16 23:02:18 UTC
Help welcome identifying if 3.22.3-r1 is vulnerable or not. I believe 3.24.3 is fixed already (double checking appreciated, but gnome distro-list e-mail, NEWS item and Gilles' commit says as such), but we can't stable that just yet, so need to make sure 3.22.3-r1 is safe or needs patching. distro-list e-mail said: "Anyone shipping GDM 3.24.1 or later should consider upgrading to 3.24.3 (or 3.26.0) which fixes a security hole. namely, if the user enables autologin, then screen lock can be bypassed by trying to initiate user switching." So I hope that implies 3.24.3-r1 is safe, and we don't actually have anything to do here, only 3.24.2 cleanup. argh, typo, to be clear I meant "I hope that implies _3.22.3-r1_ is safe" Tried to reproduce the issue, we are ok with gdm-3.22.3-r1. Changing whiteboard to cleanup and reassigning severity. @Maintainers, Please let us know when tree is clean. Thanks, Gentoo Security Padawan ChrisADR Tree is clean |