[USN-293-1] gdm vulnerability
Martin Pitt
martin.pitt at canonical.com
Fri Jun 9 10:46:30 UTC 2006
===========================================================
Ubuntu Security Notice USN-293-1 June 09, 2006
gdm vulnerability
CVE-2006-2452
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
gdm 2.8.0.5-0ubuntu1.2
Ubuntu 6.06 LTS:
gdm 2.14.6-0ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
If the admin configured a gdm theme that provided an user list, any
user could activate the gdm setup program by first choosing the setup
option from the menu, clicking on the user list and entering his own
(instead of root's) password. This allowed normal users to configure
potentially dangerous features like remote or automatic login.
Please note that this does not affect a default Ubuntu installation,
since the default theme does not provide an user list. In Ubuntu 6.06
you additionally have to have the "ConfigAvailable" setting enabled in
gdm.conf to be vulnerable (it is disabled by default).
Ubuntu 5.04 is not affected by this flaw.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2.diff.gz
Size/MD5: 67128 33be1f0d249e20f26a71853429faecef
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2.dsc
Size/MD5: 820 a27629124864eceb8b7bde6d3bc5fce9
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5.orig.tar.gz
Size/MD5: 4226618 349b76492113ab814f2732d4ce3a49c2
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_amd64.deb
Size/MD5: 1618282 de5b62fce24232a5f46c930cd719740d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_i386.deb
Size/MD5: 1559904 34f918ecf92c03d0ab4befa70d735670
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.8.0.5-0ubuntu1.2_powerpc.deb
Size/MD5: 1571650 2a8967304c094d4a0e79a0c9018fff4d
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1.diff.gz
Size/MD5: 75736 c0235a8f490d5b383b07365d7643da5e
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1.dsc
Size/MD5: 885 670690837f6ee2692adfea92d71dd901
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6.orig.tar.gz
Size/MD5: 4681313 6e0e99eb405a9a8e04ff81122723aae5
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_amd64.deb
Size/MD5: 1779088 d9c3c3cf9c4aebe8f797fafbd8f8e135
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_i386.deb
Size/MD5: 1714272 78f75e07fc5950e5f61c80ca0188ebaf
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.6-0ubuntu2.1_powerpc.deb
Size/MD5: 1762968 38d342e8408ad7cd6c613b8aa82e6458
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20060609/80f905e2/attachment.sig>
More information about the ubuntu-security-announce
mailing list