In paticular the gdm PreSession script seems to be short quoting on DISPLAY and
USER in various places that matter.
Fixing in CVS. Note that xdm as installed on my box (RH9) has the same issues
when it calls sessreg, I assume kdm has the same as well. However is this truly
It would also be nice to know of any other issues such as this in GDM, is this
the only one found?
I've not done any kind of code review. I don't think its exploitable - you have
to have a valid username containing such characters.
We should have the fix in latest gdm packages