Mageia Bugzilla – Bug 11219
lightdm new security issue CVE-2013-4331
Last modified: 2013-09-19 11:54:33 CEST
A CVE has been allocated for a security issue fixed in 1.7.14:
Jani already updated Cauldron to 1.7.14.
1.4.x (in Mageia 3) is also affected. The link above has links to commits to the 1.4.x branch to fix this.
Steps to Reproduce:
I'll update lightdm to 1.4.3 which fixes this security issue.
I was going to update to 1.4.3 anyways as it "adds a few important fixes backported from later versions" regarding to upstream.
Updated lightdm to 1.4.3 which should fix this issue.
With this new release ~/.Xauthority files shouldn't be created with world-readable permissions.
Please test new release  from core/updates_testing. Note also, that previous lightdm bug 11071 isn't fully validated, yet. New release also contains the fix for it.
Jani, I'm not quite sure what the issue was in Bug 11071. Could you give some text to add to the advisory about what was fixed there?
Bug 11071 was about user losing all device file permissions after using 'su' in terminal emulator after login to graphical desktop with lightdm. Sound stopped working because of that.
Updated lightdm packages fix security vulnerability:
lightdm before 1.4.3, 1.6.2 and 1.7.14 created .Xauthority files with
world-readable permissions (CVE-2013-4331).
Additionally, an issue where a user logged into a graphical desktop environment
through lightdm would lose privleges to local devices (such as the sound card)
when using the 'su' command has been fixed.
Updated packages in core/updates_testing:
I just tested mga3 x86_64 and both bugs are fixed :
[jules@localhost ~]$ ll .Xauthority
-rw------- 1 jules jules 147 sept. 12 21:22 .Xauthority
[jules@localhost ~]$ rpmqa lightdm
and no problem with session and sound.
For the record, it seems to fix another bug I had which asked root password to shutdown (didn't find a bugreport and since the bug seems fixed :D )
Advisory 11219.adv committed to svn.
Ubuntu has issued an advisory for this on September 12:
Just tested with mga3 x86_32 (in virtualbox) and it fixes both bug.
Could a sysadmin please push lightdm-1.4.3-1.mga3.src.rpm to core/updates?
11219.adv is in SVN.