[Bug 708205] New: Review request for LightDM DBus system service
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c0 Summary: Review request for LightDM DBus system service Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gber@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=442213) --> (http://bugzilla.novell.com/attachment.cgi?id=442213) LightDM DBus system service file User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 I'd like t request a review of a new DBus system service provided by LightDM which I intend to submit to Factory. The package is X11:xfce/lightdm, the service file is /etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf (see attachment). The package is X11:xfce/lightdm. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c Guido Berhörster <gber@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |security-team@suse.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c Guido Berhörster <gber@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |security-team@suse.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krahmer@novell.com Summary|Review request for LightDM |AUDIT-0: Review request for |DBus system service |LightDM DBus system service -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c1 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |meissner@novell.com InfoProvider|security-team@suse.de | --- Comment #1 from Marcus Meissner <meissner@novell.com> 2011-07-27 09:35:38 UTC --- needinfo not necessary, assign is sufficienbt. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: Review request for |AUDIT-0: lightdb |LightDM DBus system service | --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2011-07-29 11:26:43 CEST --- The file has a rather generic name and lxdm seems to implement a standard interface that is mean to be shared among displaymanagers, right? So I guess this config file should be put in some kind of base package required by all display managers. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: lightdb |AUDIT-0: lightdm -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c3 --- Comment #3 from Guido Berhörster <gber@opensuse.org> 2011-07-29 10:45:26 UTC --- (In reply to comment #2)
The file has a rather generic name and lxdm seems to implement a standard
Please note that LXDM (part of the LXDE project) and LightDM (http://www.freedesktop.org/wiki/Software/LightDM) are two unrelated projects.
interface that is mean to be shared among displaymanagers, right? So I guess this config file should be put in some kind of base package required by all display managers.
Possibly, however LightDM also has a broader aim than other display managers since its backend is toolkit-independent it can possibly to replace desktop-specific display managers like gdm, kdm etc. In any case, LightDM would be the only one implementing that interface. So do you want me to split this off, and if so, what should that package be named? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c4 --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2011-07-29 13:14:42 CEST --- (In reply to comment #3)
(In reply to comment #2)
The file has a rather generic name and lxdm seems to implement a standard
Please note that LXDM (part of the LXDE project) and LightDM (http://www.freedesktop.org/wiki/Software/LightDM) are two unrelated projects.
Ah, sorry. Confused the two for some reason.
interface that is mean to be shared among displaymanagers, right? So I guess this config file should be put in some kind of base package required by all display managers.
Possibly, however LightDM also has a broader aim than other display managers since its backend is toolkit-independent it can possibly to replace desktop-specific display managers like gdm, kdm etc. In any case, LightDM would be the only one implementing that interface. So do you want me to split this off, and if so, what should that package be named?
No, it's ok then. If any other DM comes up that implements the same interface we have to reconsider. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c5 --- Comment #5 from Sebastian Krahmer <krahmer@novell.com> 2011-08-23 09:38:06 UTC --- LightDM has some issues (even without looking at the DBUS code) where it for example is vulnerable to race condition exploits. It chowns ressource files inside users homedir like this: /* Update the users .dmrc */ if (user) { path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL); g_file_set_contents (path, data, length, NULL); if (getuid () == 0 && chown (path, user_get_uid (user), user_get_gid (user)) < 0) g_warning ("Error setting ownership on %s: %s", path, strerror (errno)); g_free (path); } Failing to realize symlinks etc. There is more code like this (and I am going to report it to oss-sec) as well as integer overflows. Unless lightdm has undergone a serious security review I'd not recommend its usage. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c6 --- Comment #6 from Guido Berhörster <gber@opensuse.org> 2011-08-24 09:07:59 UTC --- Using it in Factory currently requires changes to /etx/init.d/xdm which are still pending so there should be no impact on openSUSE so far. My plan was to use it as the default display manager for Xfce but I'll put that on hold for now. Since Ubuntu plans to replace GDM with it for their next release I hope they will do a proper audit before that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c7 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |WONTFIX --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2011-08-30 08:10:35 UTC --- Upstream is tracking it here: https://bugs.launchpad.net/lightdm/+bug/834079 So I am closing this one as "done". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c8 --- Comment #8 from Ludwig Nussel <lnussel@suse.com> 2011-09-15 13:43:52 CEST --- overwriting files got CVE-2011-3349 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c9 --- Comment #9 from Guido Berhörster <gber@opensuse.org> 2011-09-16 07:51:35 UTC --- (In reply to comment #8)
overwriting files got CVE-2011-3349
I'm aware of it, a fix is in 0.9.6, I'll take care of the update next week since I'm currently on vacation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c10 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|WONTFIX | --- Comment #10 from Marcus Meissner <meissner@suse.com> 2012-02-07 13:58:52 UTC --- given that we already found 2 critical issues in only some months of 12.1 lifetime, its probably best to remove it for 12.2 again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c Thomas Biege <thomas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: lightdm |VUL-0: lightdm: overwriting | |files -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c11 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #11 from Swamp Workflow Management <swamp@suse.de> 2012-03-08 23:00:13 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=708205 https://bugzilla.novell.com/show_bug.cgi?id=708205#c12 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #12 from Ludwig Nussel <lnussel@suse.com> 2012-03-12 14:13:57 CET --- the bug is fixed in 12.1 already -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com