https://bugzilla.novell.com/show_bug.cgi?id=730062 https://bugzilla.novell.com/show_bug.cgi?id=730062#c0 Summary: LightDM fix for CVE-2011-4105 is incomplete Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Xfce AssignedTo: bnc-team-xfce@forge.provo.novell.com ReportedBy: gber@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
From http://www.openwall.com/lists/oss-security/2011/11/09/6:
---->8---- Date: Wed, 09 Nov 2011 10:47:17 -0500 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: kseifried@...hat.com Cc: oss-security@...ts.openwall.com, Yves-Alexis Perez <corsac@...ian.org> Subject: Re: Re: [LightDM] Version 1.0.6 released [...] BTW, the fix that is in 1.0.6 is probably not enough for distros that don't implement hard link restrictions, such as the Yama LSM that is used in Ubuntu. Marc. ----8<---- LightDM 1.0.6 is thus still vulnerable to hardlink attacks on openSUSE. The right solution is to remove the offending code that corrects the ownership of users' .Xauthority files altogether, it is irrelevant for openSUSE anyway since the version of LightDM that created .Xauthority files with wrong ownership was never part of a release openSUSE version and this can also be easily fixed by hand. This only affects 12.1, the fix is already in Factory. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.