Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Conectiva CLA-2003:729: gdm multiple vulnerabilities

Conectiva CLA-2003:729: gdm multiple vulnerabilities

by Nikola Strahija on August 29th, 2003 GDM contains a bug where GDM will run as root when examining the ~/.xsession-errors file when using the "examine session errors" feature, allowing local users the ability to read any text file on the system by creating a symlink. The vulnerability in the XDMCP ( X Display Manager Control Protocol) support for GDM allows attackers to cause a denial of service. The XDMCP is disabled by default.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : gdm
SUMMARY : Several vulnerabilities in GDM
DATE : 2003-08-29 18:25:00
ID : CLA-2003:729
RELEVANT
RELEASES : 7.0, 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
GDM[1] is the Gnome display manager used for graphical logins.

This update fixed three vulnerabilities:

1) Arbitrary file content disclosure (CAN-2003-0547)[2]
Certain versions of GDM have the "examine session errors" feature
which allows an user to review the session log file. When opening
this file, which is located in the user's home directory, a
vulnerable GDM still has root privileges. Via a symlink attack, the
user can then make GDM open and show the contents of any file on the
system.

The fix makes GDM drop root privileges when opening the session log
file.

GDM shipped with Conectiva Linux 7.0 and 8 does not have this feature
and is not vulnerable to this issue.

The following two vulnerabilities are related to the XDMCP protocol,
which is not enabled by default, and affect Conectiva Linux 7.0, 8
and 9:

2) Use after free() (CAN-2003-0548)[3]
Under certain circumstances it is possible to make GDM use a
structure right after free()ing it, which causes a crash.

3) Segfault while checking authorization data (CAN-2003-0549)[4]
A string comparison with insufficient bounds checking is done while
checking authorization data, which can lead to a segmentation fault.


SOLUTION
It is recommended that all GDM users upgrade their packages.

IMPORTANT: after the upgrade, the GDM service has to be restarted if
it was being used. One way to do so is to run the following commands
as root:

init 3

This will take the system to text-mode login. After that, execute:

init 5

to take the system back to graphic-mode login.


REFERÊNCIAS
1. http://www.5z.com/jirka/gdm.html
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0547
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0548
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0549


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/gdm-2.2.2.1-2U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gdm-2.2.2.1-2U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/gdm-2.2.5.4-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gdm-2.2.5.4-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/gdm-2.4.1.6-27238U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gdm-2.4.1.6-27238U90_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/T8VF42jd0JmAcZARAkUAAKC7q13DplQVdkvI6sZP8P6e9mhSEwCfYf60
Y6ZhAL2wyihRaj5fPPtpKwI=
=IDP7
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »