Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 188333

Summary: CVE-2006-1057 gdm race condition/exploit
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: gdmAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc3CC: bressers, mattdm, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=vendorsec, severity=low, 3, NEEDSWORK
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-10 19:15:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eisenstein 2006-04-07 23:53:09 UTC 
Description of problem:
There is a local root exploit/race condition in gdm >= 2.6.0.3, in
"daemon/slave.c".  The code that introduces this bug was introduced
in revision 1.261 of that file in gnome's cvs:

  <http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.260&r2=1.261>.

Upstream (Brian Cameron) has indicated that this code has been fixed to
go into GDM 2.14.1, which he says they are planning to release on Monday,
April 10th.  From today's cvs comments, it looks like the fix was entered
for revision 1.322 (between revisions 1.320 and 1.322):

  <http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.320&r2=1.322>.

This only affects FC3 of the legacy distros, as FC2 and lower are using
gdm <= 2.6.0.0, and this only affects gdm >= 2.6.0.3.

Version-Release number of selected component (if applicable):
gdm-2.6.0.5-6

Ref:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1057
Comment 1 David Eisenstein 2006-05-26 13:11:30 UTC 
Hey Josh,

Did RedHat / Fedora address this issue in gdm?  I just noticed this is still
under embargo in legacy...   Need it be?
Comment 2 David Eisenstein 2006-05-26 13:20:30 UTC 
Further question, Josh.  Wouldn't this bug affect RHEL 4, since this vul-
nerability affects gdm >= 2.6.0.3, and RHEL 4 is using gdm 2.6.0.5?
Comment 3 Josh Bressers 2006-05-26 13:23:45 UTC 
This issue is public, patches from both of these bugs are needed for a proper fix:
http://bugzilla.gnome.org/show_bug.cgi?id=338358
http://bugzilla.gnome.org/show_bug.cgi?id=340347

Red Hat is tracking this problem with bug 188303 for FC and bug 188302 for RHEL.

We've released an update for FC5 (which contains a bug ironically enough), but
not for RHEL yet given the low severity of this issue (we'll likely wait for
something else to roll into the update before releasing it)
Comment 4 David Eisenstein 2006-05-26 13:34:10 UTC 
Thanks, Josh!  Removing embargo.
Comment 5 Matthew Miller 2007-04-10 19:15:18 UTC 
Fedora Core 3 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.