Bug 11219 - lightdm new security issue CVE-2013-4331
: lightdm new security issue CVE-2013-4331
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566728/
: has_procedure mga3-64-ok mga2-32-ok
: validated_update
:
: 11071
  Show dependency treegraph
 
Reported: 2013-09-12 00:47 CEST by David Walser
Modified: 2013-09-19 11:54 CEST (History)
5 users (show)

See Also:
Source RPM: lightdm-1.4.1-2.2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-12 00:47:09 CEST
A CVE has been allocated for a security issue fixed in 1.7.14:
http://openwall.com/lists/oss-security/2013/09/11/8

Jani already updated Cauldron to 1.7.14.

1.4.x (in Mageia 3) is also affected.  The link above has links to commits to the 1.4.x branch to fix this.

Reproducible: 

Steps to Reproduce:
Comment 1 Jani Välimaa 2013-09-12 06:26:47 CEST
I'll update lightdm to 1.4.3 which fixes this security issue.

I was going to update to 1.4.3 anyways as it "adds a few important fixes backported from later versions" regarding to upstream.
Comment 2 Jani Välimaa 2013-09-12 15:23:21 CEST
Updated lightdm to 1.4.3 which should fix this issue.

With this new release ~/.Xauthority files shouldn't be created with world-readable permissions.

Please test new release [1] from core/updates_testing. Note also, that previous lightdm bug 11071 isn't fully validated, yet. New release also contains the fix for it.

[1] lightdm-1.4.3-1.mga3
Comment 3 David Walser 2013-09-12 16:38:35 CEST
Jani, I'm not quite sure what the issue was in Bug 11071.  Could you give some text to add to the advisory about what was fixed there?
Comment 4 Jani Välimaa 2013-09-12 16:54:19 CEST
Bug 11071 was about user losing all device file permissions after using 'su' in terminal emulator after login to graphical desktop with lightdm. Sound stopped working because of that.
Comment 5 David Walser 2013-09-12 17:11:13 CEST
Thanks Jani!

Advisory:
========================

Updated lightdm packages fix security vulnerability:

lightdm before 1.4.3, 1.6.2 and 1.7.14 created .Xauthority files with
world-readable permissions (CVE-2013-4331).

Additionally, an issue where a user logged into a graphical desktop environment
through lightdm would lose privleges to local devices (such as the sound card)
when using the 'su' command has been fixed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4331
http://openwall.com/lists/oss-security/2013/09/11/4
https://bugs.mageia.org/show_bug.cgi?id=11071
https://bugs.mageia.org/show_bug.cgi?id=11219
========================

Updated packages in core/updates_testing:
========================
lightdm-1.4.3-1.mga3
liblightdm-gobject1_0-1.4.3-1.mga3
liblightdm-gir1-1.4.3-1.mga3
liblightdm-gobject-devel-1.4.3-1.mga3
liblightdm-qt2_0-1.4.3-1.mga3
liblightdm-qt-devel-1.4.3-1.mga3

from lightdm-1.4.3-1.mga3.src.rpm
Comment 6 Julien Moragny 2013-09-12 21:25:38 CEST
Hi,

I just tested mga3 x86_64 and both bugs are fixed :
[jules@localhost ~]$ ll .Xauthority 
-rw------- 1 jules jules 147 sept. 12 21:22 .Xauthority
[jules@localhost ~]$ rpmqa lightdm
lightdm-gtk-greeter-1.3.1-6.mga3
lightdm-1.4.3-1.mga3
lib64lightdm-gobject1_0-1.4.3-1.mga3

and no problem with session and sound.

For the record, it seems to fix another bug I had which asked root password to shutdown (didn't find a bugreport and since the bug seems fixed :D )

thanks
Julien
Comment 7 Dave Hodgins 2013-09-12 23:25:58 CEST
Advisory 11219.adv committed to svn.
Comment 8 David Walser 2013-09-13 18:06:54 CEST
Ubuntu has issued an advisory for this on September 12:
http://www.ubuntu.com/usn/usn-1950-1/
Comment 9 Julien Moragny 2013-09-14 22:22:46 CEST
Hi,

Just tested with mga3 x86_32 (in virtualbox) and it fixes both bug.

regards
Julien
Comment 10 David Walser 2013-09-14 22:35:35 CEST
Thanks Julien!

Could a sysadmin please push lightdm-1.4.3-1.mga3.src.rpm to core/updates?

11219.adv is in SVN.
Comment 11 Thomas Backlund 2013-09-19 11:54:33 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0286.html

Note You need to log in before you can comment on or make changes to this bug.