USN-293-1: gdm vulnerability
Posted on: 06/09/2006 12:12 PM

A new gdm vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-293-1 June 09, 2006
gdm vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:

Ubuntu 6.06 LTS:
gdm 2.14.6-0ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

If the admin configured a gdm theme that provided an user list, any
user could activate the gdm setup program by first choosing the setup
option from the menu, clicking on the user list and entering his own
(instead of root's) password. This allowed normal users to configure
potentially dangerous features like remote or automatic login.

Please note that this does not affect a default Ubuntu installation,
since the default theme does not provide an user list. In Ubuntu 6.06
you additionally have to have the "ConfigAvailable" setting enabled in
gdm.conf to be vulnerable (it is disabled by default).

Ubuntu 5.04 is not affected by this flaw.

Updated packages for Ubuntu 5.10:

Source archives:
Size/MD5: 67128 33be1f0d249e20f26a71853429faecef
Size/MD5: 820 a27629124864eceb8b7bde6d3bc5fce9
Size/MD5: 4226618 349b76492113ab814f2732d4ce3a49c2

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 1618282 de5b62fce24232a5f46c930cd719740d

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 1559904 34f918ecf92c03d0ab4befa70d735670

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 1571650 2a8967304c094d4a0e79a0c9018fff4d

Updated packages for Ubuntu 6.06 LTS:

Source archives:
Size/MD5: 75736 c0235a8f490d5b383b07365d7643da5e
Size/MD5: 885 670690837f6ee2692adfea92d71dd901
Size/MD5: 4681313 6e0e99eb405a9a8e04ff81122723aae5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 1779088 d9c3c3cf9c4aebe8f797fafbd8f8e135

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 1714272 78f75e07fc5950e5f61c80ca0188ebaf

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 1762968 38d342e8408ad7cd6c613b8aa82e6458

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.2.2 (GNU/Linux)


Printed from Linux Compatible (