Bug#404743: CVE-2006-6698: local DoS vulnerability due to
insecure tempdir handling
Stefan Fritsch
sf at sfritsch.de
Thu Dec 28 11:18:05 UTC 2006
On Thursday 28 December 2006 09:59, Josselin Mouette wrote:
> Le mercredi 27 décembre 2006 à 23:55 +0100, Stefan Fritsch a écrit :
> > Package: gconf2
> > Version: 2.16.0-3
> > Severity: important
> > Tags: security
> >
> > A vulnerability has been reported in gconfd:
> >
> > The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files
> > under directories with names based on the username, even when
> > GCONF_GLOBAL_LOCKS is not set, which allows local users to cause
> > a denial of service by creating the directories ahead of time,
> > which prevents other users from using Gnome.
> >
> > See
> >
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219279
> > http://bugzilla.gnome.org/show_bug.cgi?id=167030
> >
> > for details. Please mention the CVE id in the changelog.
>
> This is a known problem that upstream doesn't find serious enough
> to fix it. The solution is to turn on global locking by default -
> currently it is enabled with the GCONF_LOCAL_LOCKS environment
> variable. However, it can break when /home is on NFS with some kind
> servers. I intended to make this change post-etch so that we had
> time to see how it breaks.
>
> If the release managers want to, I can upload this change to
> unstable. I can also provide a backport for etch if the security
> team wants to issue an advisory, but be warned that this change is
> not harmless - although an environment variable will enable local
> locking if an user wants to revert to the current behavior.
There is a patch at
http://bugzilla.gnome.org/show_bug.cgi?id=141138
which (AIUI) creates locking directories with random names.
But I agree that this is not so important that some more or less
untested solution should go into etch.
More information about the pkg-gnome-maintainers
mailing list