desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #16207
[Bug 834079] Re: files written as root to user-controlled folders
Forgot to mention in changelog:
lightdm (0.9.5-0ubuntu2) oneiric; urgency=low
* debian/lightdm.config: When installing from scratch as part of a release
upgrade, default to lightdm, otherwise ask. (LP: #806559)
* Add 04_dont_write_files_as_root.patch: Do not write ~/.dmrc and
~/.Xauthority as root. [CVE-2011-3349]
* Add 00upstream_unlock_fix.patch: Only unlock displays if switched to from
greeter. Cherrypicked from upstream r1137. (LP: #844274)
-- Martin Pitt <martin.pitt@xxxxxxxxxx> Thu, 15 Sep 2011 08:52:24
+0200
Also fixed upstream now in 0.9.6.
** Changed in: lightdm (Ubuntu Oneiric)
Status: Fix Committed => Fix Released
** Changed in: lightdm
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/834079
Title:
files written as root to user-controlled folders
Status in Light Display Manager:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “lightdm” source package in Oneiric:
Fix Released
Status in “lightdm” package in Debian:
Confirmed
Bug description:
Hey,
as you were on CC: I guess you're already aware, but reporting so it
can be tracked upstream.
Short version: http://seclists.org/oss-sec/2011/q3/393
Long version: .dmrc and Xauthority files are written by lightdm
running as root while they're in user controlled folders. An user can,
via a symlink, overwrite root-owned files. It doesn't look like it can
achieve easily privilege-escalation (since the content is quite fixed)
but it's still bad.
Basically the correct fix seems to have workers process which would
setuid() to the user before writing content to those files.
CVE-2011-3349
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/834079/+subscriptions