files written as root to user-controlled folders
Bug #834079 reported by
Yves-Alexis Perez
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Light Display Manager |
Fix Released
|
High
|
Martin Pitt | ||
| lightdm (Debian) |
Fix Released
|
Unknown
|
|||
| lightdm (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
| Oneiric |
Fix Released
|
High
|
Martin Pitt | ||
Bug Description
Hey,
as you were on CC: I guess you're already aware, but reporting so it can be tracked upstream.
Short version: http://
Long version: .dmrc and Xauthority files are written by lightdm running as root while they're in user controlled folders. An user can, via a symlink, overwrite root-owned files. It doesn't look like it can achieve easily privilege-
Basically the correct fix seems to have workers process which would setuid() to the user before writing content to those files.
CVE-2011-3349
Related branches
lp://staging/~pitti/lightdm/write-user-files-as-user
- LightDM Development Team: Pending requested
-
Diff: 116 lines (+38/-12)3 files modifiedNEWS (+1/-0)
src/dmrc.c (+15/-2)
src/xauthority.c (+22/-10)
CVE References
| visibility: | private → public |
| Changed in lightdm (Debian): | |
| status: | Unknown → Confirmed |
| Changed in lightdm: | |
| status: | New → Triaged |
| importance: | Undecided → High |
Revision history for this message
| Robert Ancell (robert-ancell) wrote | #1 |
| Changed in lightdm (Ubuntu Oneiric): | |
| importance: | Undecided → High |
| Changed in lightdm (Ubuntu Oneiric): | |
| assignee: | nobody → Robert Ancell (robert-ancell) |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in lightdm (Ubuntu Oneiric): | |
| status: | New → Triaged |
| milestone: | none → ubuntu-11.10 |
Revision history for this message
| Yves-Alexis Perez (corsac) wrote | #3 |
Revision history for this message
| Robert Ancell (robert-ancell) wrote | #4 |
| Changed in lightdm (Ubuntu Oneiric): | |
| assignee: | Robert Ancell (robert-ancell) → Martin Pitt (pitti) |
| status: | Triaged → In Progress |
| description: | updated |
Revision history for this message
| Martin Pitt (pitti) wrote | #5 |
Revision history for this message
| Martin Pitt (pitti) wrote | #6 |
| Changed in lightdm (Ubuntu Oneiric): | |
| status: | In Progress → Fix Committed |
| Changed in lightdm: | |
| status: | Triaged → Fix Committed |
| assignee: | nobody → Martin Pitt (pitti) |
| status: | Fix Committed → In Progress |
Revision history for this message
| Martin Pitt (pitti) wrote | #7 |
| Changed in lightdm (Ubuntu Oneiric): | |
| status: | Fix Committed → Fix Released |
| Changed in lightdm: | |
| status: | In Progress → Fix Released |
| Changed in lightdm (Debian): | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
OpenSUSE audit of lightdm:
https:/