371304 – (CVE-2011-1709) gnome-base/gdm: Local privilege escalation (CVE-2011-1709)

Bug 371304 (CVE-2011-1709) - gnome-base/gdm: Local privilege escalation (CVE-2011-1709)

Summary: gnome-base/gdm: Local privilege escalation (CVE-2011-1709)

Status:	RESOLVED INVALID

Alias:	CVE-2011-1709

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:	http://git.gnome.org/browse/gdm/commi...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-12 20:08 UTC by Tim Sammut (RETIRED)
Modified:	2011-06-18 18:29 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-06-12 20:08:47 UTC

Patch at $URL. From third party advisory at http://secunia.com/advisories/44797/:

Description

A security issue has been reported in GNOME Display Manager, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to a URI scheme handler configuration error and can be exploited to launch a default browser in a GDM session with the privileges of the GDM user.

The security issue is reported in version 2.32.1 and prior.

Comment 1 Nirbheek Chauhan (RETIRED) gentoo-dev

2011-06-15 07:02:40 UTC

This applies to the following version range: (2.21, 2.32.1). The current stable is 2.20.x, and this vulnerability doesn't apply to that version. GDM was completely rewritten in the 2.21.x cycle, and all further releases have been hard masked in the tree.

Hence, this security bug doesn't affect us.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-06-18 18:29:20 UTC

(In reply to comment #1)
> 
> Hence, this security bug doesn't affect us.

Ok, thanks. Closing as INVALID.