oss-security - Re: CVE Request: ldm (LTSP display manager)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Mon, 12 Mar 2012 14:12:28 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marc Deslauriers <marc.deslauriers@...onical.com>, coley@...us.mitre.org,
        security@...ntu.com
Subject: Re: CVE Request: ldm (LTSP display manager)

On 03/12/2012 02:03 PM, Marc Deslauriers wrote:
> Could we please get a CVE assigned to the following issue?:
> 
> Starting with ldm 2.2.x, upstream switched to using wwm as a minimal window manager.
> It was discovered that wwm ships with keybindings that allow spawning an xterm.
> 
> As the ldm greeter runs as root, this allows for a passwordless root shell.
> 
> Bug:
> https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340
> 
> Commit:
> http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/revision/1419
> 
> Thanks,
> 
> Marc.

Please use CVE-2012-1166 for this issue.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.