OpenSuSE has fixed a possible denial of service issue, where hitting Enter with no username could cause an unrecoverable (except by the sysadmin) crash in lightdm, thereby denying access to the machine through the login manager: http://openwall.com/lists/oss-security/2014/01/07/8 https://bugzilla.novell.com/show_bug.cgi?id=857303 I've added the patch in SVN in Mageia 3 and Cauldron and requested a freeze push. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
lightdm-gtk-greeter-1.6.1-3.mga4 uploaded for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Patched package uploaded for Mageia 3. Advisory: ======================== Updated lightdm-gtk-greeter package fixes security vulnerability: lightdm-gtk-greeter uses the lightdm-gobject API incorrectly and does not handle lightdm_greeter_get_authentication_user() returning NULL when the username of the previous authentication is invalid resulting in a NULL pointer dereference in start_authentication(). This constitutes a local denial of service which can be triggered by any unprivileged attacker requiring the intervention of an administrator to restart lightdm (CVE-2014-0979). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0979 http://openwall.com/lists/oss-security/2014/01/07/5 https://bugzilla.novell.com/show_bug.cgi?id=857303 ======================== Updated packages in core/updates_testing: ======================== lightdm-gtk-greeter-1.3.1-6.1.mga3 from lightdm-gtk-greeter-1.3.1-6.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Unable to confirm issue. After switching to lightdm, the login prompt doesn't allow for an empty username, there's a drop-down menu you have to choose from.
CC: (none) => isolde
OpenSuSE has issued an advisory for this today (January 15): http://lists.opensuse.org/opensuse-updates/2014-01/msg00048.html Updating the reference in the advisory. Advisory: ======================== Updated lightdm-gtk-greeter package fixes security vulnerability: lightdm-gtk-greeter uses the lightdm-gobject API incorrectly and does not handle lightdm_greeter_get_authentication_user() returning NULL when the username of the previous authentication is invalid resulting in a NULL pointer dereference in start_authentication(). This constitutes a local denial of service which can be triggered by any unprivileged attacker requiring the intervention of an administrator to restart lightdm (CVE-2014-0979). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0979 http://openwall.com/lists/oss-security/2014/01/07/5 http://lists.opensuse.org/opensuse-updates/2014-01/msg00048.html ======================== Updated packages in core/updates_testing: ======================== lightdm-gtk-greeter-1.3.1-6.1.mga3 from lightdm-gtk-greeter-1.3.1-6.1.mga3.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/580567/
CC: (none) => jani.valimaa, stormi
Wally, if know how to trigger the issue so that we can test the fix, that would be helpful :)
Dave was able to trigger it in Cauldron before I fixed it there. See Comment 0.
I can reproduce, after installing light-dm-greeter and its dependencies, and setting it as the default in MCC. To Carolyn: you missed the "other" option in the drop-down menu, that offers to type your username. lightdm crashes indeed. No big deal since the dm service restarts it instantly, but there's nothing bad in fixing it :) After installing the update candidate, no more crash. Testing complete MGA3 32.
Whiteboard: (none) => has_procedure MGA3-32-OK
Name: CVE-2014-0979 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0979 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20140107 Category: Reference: MLIST:[oss-security] 20140107 Re: CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference Reference: URL:http://www.openwall.com/lists/oss-security/2014/01/07/15 Reference: CONFIRM:https://bugs.launchpad.net/lightdm-gtk-greeter/+bug/1266449 Reference: CONFIRM:https://bugzilla.novell.com/show_bug.cgi?id=857303 Reference: SUSE:openSUSE-SU-2014:0071 Reference: URL:http://lists.opensuse.org/opensuse-updates/2014-01/msg00048.html Reference: SECUNIA:56211 Reference: URL:http://secunia.com/advisories/56211 Reference: SECUNIA:56423 Reference: URL:http://secunia.com/advisories/56423 The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial of service (NULL pointer dereference) via an empty username.
CC: (none) => oe
Testing complete mga3 64 Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK => has_procedure advisory MGA3-32-OK mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0026.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED