GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change
the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2)
face icon file under /var/cache/gdm/.
The face icon vulnerability doesn't apply to 2.20.x, but the dmrc one might apply. Needs further investigation.
Ping, any progress?
this is already handled in our part I think
fixed in 3.8, stabilized in bug #478252
(In reply to Pacho Ramos from comment #4)
> fixed in 3.8, stabilized in bug #478252
Version 3.8 is no longer in tree. Adding this to master GLSA for things fixed and cleaned up in 2011.
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).