Bug 21715

Summary: lightdm new security issue CVE-2017-8900
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Jani Välimaa <jani.valimaa>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: lightdm-1.18.3-3.mga6.src.rpm CVE:
Status comment: Could be fixed by disabling guest sessions

Description David Walser 2017-09-16 04:52:43 CEST 
Ubuntu has issued an advisory on May 11:
https://usn.ubuntu.com/usn/usn-3285-1/

It sounded like an issue that only affected Ubuntu, not only specifically mentioning Ubuntu in the CVE description, but referring to it bypassing restrictions put in place by AppArmor, which only Ubuntu uses.

However, Fedora has followed suit, also disabling the guest session:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W2D2FV2SZQVW6QD3LMNU6MV4QLIS6QML/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HXVOLJ7UBXHXF75UIKSTAEXDPVGJYLKK/

and maybe if we don't have AppArmor, even if the feature worked as intended, maybe guest sessions in lightdm would be allowing something they shouldn't be on Mageia, so if we haven't disabled them, perhaps we should.
Comment 1 Jani Välimaa 2017-09-19 17:05:22 CEST 
Disabled guest sessions in lightdm-1.24.0-1.mga7.
Comment 2 David Walser 2017-09-19 19:58:58 CEST 
Thanks Jani.  Do you think we should disable it in the stable releases?
David Walser 2018-02-02 18:39:46 CET

Status comment: (none) => Could be fixed by disabling guest sessions
Version: Cauldron => 6
Source RPM: lightdm-1.18.3-4.mga7.src.rpm => lightdm-1.18.3-3.mga6.src.rpm

Comment 3 Mike Rambo 2019-11-06 13:16:15 CET 
Mageia 6 is EOL.

Resolution: (none) => OLD
CC: (none) => mrambo
Status: NEW => RESOLVED