Ubuntu
lightdm package

lightdm doesn't drop privileges when reading ~/.dmrc

Bug #883865 reported by Marc Deslauriers
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Fix Released
Medium
Unassigned
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

LightDM doesn't drop privileges when reading the ~/.dmrc file. This allows a local user to read configuration files he would normally not have read permissions for, for example, mysql configuration files that contain passwords.

How to reproduce:
1- Create a /etc/app.conf file owned by root with 600 permissions, containing the following:
[App]
password=xyz
2- Log in as a regular user
3- rm ~/.dmrc
4- ln -s /etc/app.conf ~/.dmrc
5- Log out, log back in
6- look at ~/.dmrc

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-3153.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This issue is embargoed and has not been disclosed publicly.
We are requesting a coordinated release date (CRD) of <2011-11-15 17:00 UTC>.

Marc Deslauriers (mdeslaur)
Changed in lightdm (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Changed in lightdm (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Note that it might be worth investigating for other issues like that. For the “write” vulnerability both .dmrc and .Xauthority were concerned, so .Xautority file reading might be a good idea to look at.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here's a proposed patch.

Robert, does this look okay to you?

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Yes, patch looks correct. I've applied it to trunk and the stable branch.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Note that in Ubuntu we're using AccountsService and this file is not read under normal conditions. It will affect any Ubuntu derivative that doesn't use Accounts Service however.

Changed in lightdm (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in lightdm (Ubuntu Oneiric):
status: Confirmed → Fix Committed
Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Hmhmh, the commits break the embargo, afaict, since the repositories are public...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, unfortunately the embargo is now broken since the commit is public.

@Robert: the file is most certainly read on Oneiric, I can reproduce the issue at will. Is something not working right with AccountsService?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This would call it:

void
user_set_xsession (User *user, const gchar *xsession)
{
    g_return_if_fail (user != NULL);

    call_method (user->priv->proxy, "SetXSession", g_variant_new ("(s)", xsession), "()", NULL);
    save_string_to_dmrc (user->priv->name, "Desktop", "Session", xsession);
}

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.1

---------------
lightdm (1.0.6-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: file contents disclosure via hard link
    - debian/patches/04_CVE-2011-4105.patch: make sure file isn't a symlink
      or a hard link before doing the chown on it.
    - CVE-2011-4105
  * SECURITY UPDATE: file contents disclosure via links (LP: #883865)
    - debian/patches/05_CVE-2011-3153.patch: drop privileges before
      accessing file.
    - CVE-2011-3153
 -- Marc Deslauriers <email address hidden> Tue, 15 Nov 2011 08:31:27 -0500

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu3

---------------
lightdm (1.0.6-0ubuntu3) precise; urgency=low

  * SECURITY UPDATE: file contents disclosure via hard link
    - debian/patches/04_CVE-2011-4105.patch: make sure file isn't a symlink
      or a hard link before doing the chown on it.
    - CVE-2011-4105
  * SECURITY UPDATE: file contents disclosure via links (LP: #883865)
    - debian/patches/05_CVE-2011-3153.patch: drop privileges before
      accessing file.
    - CVE-2011-3153
 -- Marc Deslauriers <email address hidden> Tue, 15 Nov 2011 14:23:53 -0500

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Note that the patch uses O_NOFOLLOW flag to open() which is Linux-only.

Revision history for this message
Yves-Alexis Perez (corsac) wrote :

This patch seems to fix the problem.

Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Any news on this?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

News on what exactly? The code isn't in trunk anymore, and we've applied the patch to our releases.

If you're looking for a patch that doesn't use O_NOFOLLOW, you might as well remove the offending code from lightdm altogether, that would be the best solution.

Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Yes, good point, code is removed now, sorry for that.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.