USN-293-1: gdm vulnerability
Posted on: 06/09/2006 12:12 PM

A new gdm vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-293-1 June 09, 2006
gdm vulnerability
CVE-2006-2452
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
gdm 2.8.0.5-0ubuntu1.2

Ubuntu 6.06 LTS:
gdm 2.14.6-0ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

If the admin configured a gdm theme that provided an user list, any
user could activate the gdm setup program by first choosing the setup
option from the menu, clicking on the user list and entering his own
(instead of root's) password. This allowed normal users to configure
potentially dangerous features like remote or automatic login.

Please note that this does not affect a default Ubuntu installation,
since the default theme does not provide an user list. In Ubuntu 6.06
you additionally have to have the "ConfigAvailable" setting enabled in
gdm.conf to be vulnerable (it is disabled by default).

Ubuntu 5.04 is not affected by this flaw.


Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.=
2.diff.gz
Size/MD5: 67128 33be1f0d249e20f26a71853429faecef
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.=
2.dsc
Size/MD5: 820 a27629124864eceb8b7bde6d3bc5fce9
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5.orig.tar.=
gz
Size/MD5: 4226618 349b76492113ab814f2732d4ce3a49c2

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.=
2_amd64.deb
Size/MD5: 1618282 de5b62fce24232a5f46c930cd719740d

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.=
2_i386.deb
Size/MD5: 1559904 34f918ecf92c03d0ab4befa70d735670

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.=
2_powerpc.deb
Size/MD5: 1571650 2a8967304c094d4a0e79a0c9018fff4d

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1=
=2Ediff.gz
Size/MD5: 75736 c0235a8f490d5b383b07365d7643da5e
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1=
=2Edsc
Size/MD5: 885 670690837f6ee2692adfea92d71dd901
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6.orig.tar.gz
Size/MD5: 4681313 6e0e99eb405a9a8e04ff81122723aae5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1=
_amd64.deb
Size/MD5: 1779088 d9c3c3cf9c4aebe8f797fafbd8f8e135

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1=
_i386.deb
Size/MD5: 1714272 78f75e07fc5950e5f61c80ca0188ebaf

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1=
_powerpc.deb
Size/MD5: 1762968 38d342e8408ad7cd6c613b8aa82e6458


--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEiVGGDecnbV4Fd/IRAhcQAJ4zajDGgxHO6D4EkH1w1gYGbGcP5ACfSdLM
9Gut4x0SZCBElRPdDjkqSuQ=
=D3/w
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_293_1_gdm_vulnerability.html)