Bug 27566 - gdm new security issue CVE-2020-16125
Summary: gdm new security issue CVE-2020-16125
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-06 00:23 CET by David Walser
Modified: 2021-01-04 15:43 CET (History)
3 users (show)

See Also:
Source RPM: gdm-3.38.1-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-11-06 00:23:45 CET 
Debian-LTS has issued an advisory today (November 5):
https://www.debian.org/lts/security/2020/dla-2434

Mageia 7 is also affected.
David Walser 2020-11-06 00:23:52 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-11-06 00:25:24 CET 
Ubuntu has issued an advisory for this on November 3:
https://ubuntu.com/security/notices/USN-4614-1

Severity: normal => major

Comment 2 David Walser 2020-11-16 20:30:27 CET 
SUSE has issued an advisory for this today (November 16):
https://lists.suse.com/pipermail/sle-security-updates/2020-November/007777.html
Comment 3 David Walser 2020-11-23 21:57:28 CET 
openSUSE has issued an advisory for this on November 19:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZX3UTGQD6BVLNXN2RQDQJAGIEKRWA7A4/
Comment 4 David Walser 2020-12-27 21:10:31 CET 
Fix is present in the current version in Cauldron (3.38.2.1).

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 5 David Walser 2020-12-27 21:19:01 CET 
Patched package uploaded for Mageia 7.

Advisory:
========================

Updated gdm packages fix security vulnerability:

Kevin Backhouse discovered that GDM incorrectly launched the initial setup tool
when the accountsservice daemon was not reachable. A local attacker able to
cause accountsservice to crash or stop responding could trick GDM into
launching the initial setup tool and create a privileged user (CVE-2020-16125).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16125
https://ubuntu.com/security/notices/USN-4614-1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZX3UTGQD6BVLNXN2RQDQJAGIEKRWA7A4/
========================

Updated packages in core/updates_testing:
========================
gdm-3.32.0-1.1.mga7
libgdm1-3.32.0-1.1.mga7
libgdm-gir1.0-3.32.0-1.1.mga7
libgdm-devel-3.32.0-1.1.mga7

from gdm-3.32.0-1.1.mga7.src.rpm

Assignee: gnome => qa-bugs

Comment 6 Thomas Andrews 2021-01-03 17:24:03 CET 
I was going to try installing this on a real hardware Plasma system, but it required installing a long list of Gnome-related dependencies that I didn't want, even on a testing system. So...

I created a basic Gnome guest inside VirtualBox. Once that was established, I installed QARepo and used it to get the updates for gdm. No installation issues. Did a reboot, and no issues were obvious to this non-Gnome user.

I believe this is sufficient as a test for this update, so I am OKing and validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 7 Aurelien Oudelet 2021-01-04 13:55:44 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-01-04 15:43:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0003.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.