Bug#683338: [oss-security] CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 7 19:50:24 UTC 2014
[replying to http://www.openwall.com/lists/oss-security/2014/01/07/5]
On 01/07/2014 05:47 AM, Guido Berhoerster wrote:
> an openSUSE user discovered that it is trivial to crash
> lightdm-gtk-greeter by entering an empty username due to a NULL
> pointer dereference. When a greeter crashes the lightdm daemon
> exits.
> This constitutes a local denial of service which can be triggered
> by any unprivileged attacker requiring the intervention of an
> administrator to restart lightdm. It affects all versions of
> lightdm-gtk-greeter.
Hm, if this warrants a CVE for lightdm, then gdm3 needs one also:
https://bugzilla.gnome.org/show_bug.cgi?id=704284
http://bugs.debian.org/683338
Basically, when gdm3 is configured to not show a list of users (but
instead shows a blank box for the login prompt), if the user clicks
"cancel" or hits the escape key, then the greeter gets put into a mode
without any way to log in (no prompts available).
I've tried to debug it but it appears to be due to some sort of
timing-dependent case. When i step through the code with gdb, i haven't
been able to reproduce the issue.
It is definitely a bad situation for machines in public locations with
this configuration.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20140107/f634c706/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list