Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Jan 2014 14:50:24 -0500
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com, 683338@...s.debian.org
Subject: Re: CVE request: lightdm-gtk-greeter - local DOS due
 to NULL pointer dereference

[replying to http://www.openwall.com/lists/oss-security/2014/01/07/5]

On 01/07/2014 05:47 AM, Guido Berhoerster wrote:
> an openSUSE user discovered that it is trivial to crash
> lightdm-gtk-greeter by entering an empty username due to a NULL
> pointer dereference. When a greeter crashes the lightdm daemon
> exits.
> This constitutes a local denial of service which can be triggered
> by any unprivileged attacker requiring the intervention of an
> administrator to restart lightdm. It affects all versions of
> lightdm-gtk-greeter.

Hm, if this warrants a CVE for lightdm, then gdm3 needs one also:

 https://bugzilla.gnome.org/show_bug.cgi?id=704284
 http://bugs.debian.org/683338

Basically, when gdm3 is configured to not show a list of users (but
instead shows a blank box for the login prompt), if the user clicks
"cancel" or hits the escape key, then the greeter gets put into a mode
without any way to log in (no prompts available).

I've tried to debug it but it appears to be due to some sort of
timing-dependent case.  When i step through the code with gdb, i haven't
been able to reproduce the issue.

It is definitely a bad situation for machines in public locations with
this configuration.

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.