Bug 688323 (CVE-2011-0727)
| Summary: | CVE-2011-0727 gdm: privilege escalation vulnerability | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | cschalle, jlieskov, rstrode, security-response-team, vkrizan | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-07-29 14:10:19 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 688908, 688909, 691496 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Vincent Danen
2011-03-16 19:45:43 UTC
This attack targets code that "caches" (copies) users' dmrc and face image files from user's home directory to /var/cache/gdm/$USER . This feature was added in gdm version 2.28.0 according to the NEWS file:
Version 2.28.0
===============
...
- Now the user's dmrc and face image files are stored in /var/cache/gdm, so
that the login process does not need to access the user's $HOME directory
before authentication. Refer to bug #565151.
Upstream commit and related bugs:
http://git.gnome.org/browse/gdm/commit/?id=c25ef9245b
https://bugzilla.gnome.org/show_bug.cgi?id=565151
https://bugzilla.redhat.com/show_bug.cgi?id=456021
So this is going to be really really hard to exploit in RHEL 6 because of some patches we ship that SIGTERM the worker process before gdm_session_worker_cache_userfiles runs. I say really really hard and not "impossible" because it's still theoretically possible to hit this bug if all of: 1) the dbus_connection_send call in gdm_session_direct_handle_session_exited decides to perform an immediate instead deferred send for the SessionExited reply message (it varies at run time what it will do) 2) the ck_connector_close_session call in session_worker_child_watch and associated blocking consolekit work are effectively instantaneous 3) the slave takes a longer than normal time to shut down and get to the stop_all_conversations call that leads to the worker getting killed. 4) the race in the exploit wins So we're in a lot better shape than upstream here. Created attachment 487587 [details] Patch from Ray Strode Makes sure that gdm worker process forks + drops privileges before running user files caching code, to match the behaviour at the beginning of the session. As noted in comment #7, change in RHEL6 gdm version cause that this caching at the end of the session does not get executed. Public via upstream v2.32.1 release announcement: [1] http://mail.gnome.org/archives/gdm-list/2011-March/msg00020.html Created gdm tracking bugs for this issue Affects: fedora-all [bug 691496] This issue did NOT affect the versions of the gdm package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the version of the gdm package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the gdm package, as shipped with Fedora release of 13 and 14. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0395 https://rhn.redhat.com/errata/RHSA-2011-0395.html |