From the upstream email notification at $URL: Fixes a security issue where using ~/.Xauthority as a symlink would cause LightDM to set the destination of the link to user ownership. All users of 1.0.4 or 1.0.5 should upgrade immediately. Overview of changes in lightdm 1.0.6 * Use lchown for correcting ownership of ~/.Xauthority instead of chown
That's a bit weird. There is no 1.0.6 version for lightdm. https://launchpad.net/lightdm
(In reply to comment #1) > That's a bit weird. There is no 1.0.6 version for lightdm. > > https://launchpad.net/lightdm http://people.ubuntu.com/~robert-ancell/lightdm/releases/ seems to have a tarball
ebuild now in portage
(In reply to comment #3) > ebuild now in portage thanks. Closing noglsa for ~arch only package.
CVE-2011-4105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4105): LightDM before 1.0.6 allows local users to change ownership of arbitrary files via a symlink attack on ~/.Xauthority.