Date: Tue, 07 Jan 2014 14:50:24 -0500 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com, 683338@...s.debian.org Subject: Re: CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference [replying to http://www.openwall.com/lists/oss-security/2014/01/07/5] On 01/07/2014 05:47 AM, Guido Berhoerster wrote: > an openSUSE user discovered that it is trivial to crash > lightdm-gtk-greeter by entering an empty username due to a NULL > pointer dereference. When a greeter crashes the lightdm daemon > exits. > This constitutes a local denial of service which can be triggered > by any unprivileged attacker requiring the intervention of an > administrator to restart lightdm. It affects all versions of > lightdm-gtk-greeter. Hm, if this warrants a CVE for lightdm, then gdm3 needs one also: https://bugzilla.gnome.org/show_bug.cgi?id=704284 http://bugs.debian.org/683338 Basically, when gdm3 is configured to not show a list of users (but instead shows a blank box for the login prompt), if the user clicks "cancel" or hits the escape key, then the greeter gets put into a mode without any way to log in (no prompts available). I've tried to debug it but it appears to be due to some sort of timing-dependent case. When i step through the code with gdb, i haven't been able to reproduce the issue. It is definitely a bad situation for machines in public locations with this configuration. --dkg Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.