[Bug 953340] Re: ldm 2.2.x (using wwm) contains a keybinding allowing the user to get a root shell

Marc Deslauriers marc.deslauriers at canonical.com
Mon Mar 12 20:04:26 UTC 2012


Requested CVE:

http://www.openwall.com/lists/oss-security/2012/03/12/5

** Also affects: ldm (Ubuntu Natty)
   Importance: Undecided
       Status: New

** Also affects: ldm (Ubuntu Oneiric)
   Importance: Undecided
       Status: New

** Also affects: ldm (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: ldm (Ubuntu Natty)
       Status: New => Confirmed

** Changed in: ldm (Ubuntu Oneiric)
       Status: New => Confirmed

** Changed in: ldm (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: ldm (Ubuntu Precise)
     Assignee: (unassigned) => Stéphane Graber (stgraber)

** Changed in: ldm (Ubuntu Natty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ldm (Ubuntu Oneiric)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ldm (Ubuntu Natty)
   Importance: Undecided => High

** Changed in: ldm (Ubuntu Oneiric)
   Importance: Undecided => High

** Changed in: ldm (Ubuntu Precise)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ldm in Ubuntu.
https://bugs.launchpad.net/bugs/953340

Title:
  ldm 2.2.x (using wwm) contains a keybinding allowing the user to get a
  root shell

Status in “ldm” package in Ubuntu:
  Confirmed
Status in “ldm” source package in Natty:
  Confirmed
Status in “ldm” source package in Oneiric:
  Confirmed
Status in “ldm” source package in Precise:
  Confirmed

Bug description:
  Starting with ldm 2.2.x upstream switched to wwm as a minimal window
  manager for ldm, though it only recently was discovered that it ships
  with a keybinding allowing to spawn an xterm.

  As the ldm greeter runs as root, this essentially allows for a
  passwordless root shell to be spawned on any LTSP thin client since
  Ubuntu 11.04.

  
  While definitely quite bad, it's not horribly bad as all thin clients are booted from the network with their filesystem downloaded cleartext from the network, we already consider them as non secure machines to start with.
  The fix upstream is to turn off all the keybindings in wwm as it was meant to be from the beginning.

  I commited the bugfix upstream and we'll release a new version today
  for upload to Debian and sync into Precise.

  
  I'm going to provide two debdiffs in the next few minutes cherry-picking the fix for Ubuntu 11.04 and 11.10.

  For the record, the keybinding is KP_RETURN.

  The original reporter for this security issue is "Tenho Tuhkala" with
  the bug tracked down and fixed by me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340/+subscriptions




More information about the foundations-bugs mailing list