Ubuntu has issued an advisory on June 28: http://www.ubuntu.com/usn/usn-1485-1/ Jani Välimaa has fixed Cauldron by updating to 0.6.22. I have uploaded a patched package for Mageia 2. Advisory: ======================== Updated accountsservice packages fix security vulnerability: Florian Weimer discovered that AccountsService incorrectly handled privileges when copying certain files to the system cache directory. A local attacker could exploit this issue to read arbitrary files, bypassing intended permissions (CVE-2012-2737). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2737 http://www.ubuntu.com/usn/usn-1485-1/ ======================== Updated packages in core/updates_testing: ======================== accountsservice-0.6.14-2.1.mga2 libaccountsservice0-0.6.14-2.1.mga2 libaccountsservice-devel-0.6.14-2.1.mga2 from accountsservice-0.6.14-2.1.mga2.src.rpm
The service was installed, but disabled on my i586 system. I've enabled the service with systemctl enable accounts-daemon.service After rebooting, checking with systemd-analyze blame|grep account 924ms accounts-daemon.service So other then adding just under a second to the boot time, what is the service used for? Any suggestions for testing procedure? I've looked, but haven't had any luck.
CC: (none) => davidwhodgins
Fedora has issued an advisory for this on June 30: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083359.html If you take a look at the package URL, there is a "How to Test" section there. The linked bugs may or may not have something interesting as well.
Thanks, but we don't have the accountsdialog package. In Gnome, Tools/System Tools/User Accounts works whether the service is running or not.
It sounds like it's used by GDM and LightDM to get the list of users. I guess you could make sure the users on your system get displayed properly.
Olav, is there some other way accountsservice is used in GNOME we could test?
CC: (none) => olav
Based on urpmq --whatrequires accountsservice, it looks like gdm uses it. I've switched from kdm to gdm, and confirmed that even if I disable the accounts-daemon.service, on a restart of the dm, it does get re-enabled and started. So, since gdm is the only package we have that requires the package, and given that gdm is working with the update, I'm ok with considering the test completed on my i586 system.
Whiteboard: (none) => mga2-32-OK
Testing complete x86_64 mga2 Checked with gdm. Stopped the service, logged out. gdm starts the service. updated and did the same again. No regressions noticed. Validating Please see comment 0 for advisory and srpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => AllWhiteboard: mga2-32-OK => mga2-32-OK mga2-64-OK
GDM indeed uses it (to determine the users IIRC). Think gnome-control-center also relies on it, though maybe it misses a dependency.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0153
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED