Bug#404743: CVE-2006-6698: local DoS vulnerability due to insecure tempdir handling

[Josselin Mouette]

Le mercredi 27 décembre 2006 à 23:55 +0100, Stefan Fritsch a écrit :
> Package: gconf2
> Version: 2.16.0-3
> Severity: important
> Tags: security
> 
> A vulnerability has been reported in gconfd:
> 
> The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files
> under directories with names based on the username, even when
> GCONF_GLOBAL_LOCKS is not set, which allows local users to cause a
> denial of service by creating the directories ahead of time, which
> prevents other users from using Gnome.
> 
> See 
> 
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219279
> http://bugzilla.gnome.org/show_bug.cgi?id=167030
> 
> for details. Please mention the CVE id in the changelog.

This is a known problem that upstream doesn't find serious enough to fix
it. The solution is to turn on global locking by default - currently it
is enabled with the GCONF_LOCAL_LOCKS environment variable. However, it
can break when /home is on NFS with some kind servers. I intended to
make this change post-etch so that we had time to see how it breaks.

If the release managers want to, I can upload this change to unstable. I
can also provide a backport for etch if the security team wants to issue
an advisory, but be warned that this change is not harmless - although
an environment variable will enable local locking if an user wants to
revert to the current behavior.

-- 
 .''`.
: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20061228/52212743/attachment.pgp