Bug 688323 (CVE-2011-0727) - CVE-2011-0727 gdm: privilege escalation vulnerability
Summary: CVE-2011-0727 gdm: privilege escalation vulnerability
Alias: CVE-2011-0727
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 688908 688909 691496
TreeView+ depends on / blocked
Reported: 2011-03-16 19:45 UTC by Vincent Danen
Modified: 2021-02-24 16:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-29 14:10:19 UTC

Attachments (Terms of Use)
Patch from Ray Strode (2.37 KB, patch)
2011-03-25 15:57 UTC, Tomas Hoger
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Novell 679786 0 None None None Never
Red Hat Product Errata RHSA-2011:0395 0 normal SHIPPED_LIVE Moderate: gdm security update 2011-03-28 17:49:11 UTC

Description Vincent Danen 2011-03-16 19:45:43 UTC
It was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user.  A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.


Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Comment 3 Tomas Hoger 2011-03-18 11:01:30 UTC
This attack targets code that "caches" (copies) users' dmrc and face image files from user's home directory to /var/cache/gdm/$USER .  This feature was added in gdm version 2.28.0 according to the NEWS file:

  Version 2.28.0

  - Now the user's dmrc and face image files are stored in /var/cache/gdm, so 
    that the login process does not need to access the user's $HOME directory 
    before authentication.  Refer to bug #565151.

Upstream commit and related bugs:

Comment 7 Ray Strode [halfline] 2011-03-24 20:03:04 UTC
So this is going to be really really hard to exploit in RHEL 6 because of some patches we ship that SIGTERM the worker process before gdm_session_worker_cache_userfiles runs.

I say really really hard and not "impossible" because it's still theoretically possible to hit this bug if all of:

1) the dbus_connection_send call in gdm_session_direct_handle_session_exited decides to perform an immediate instead deferred send for the SessionExited reply message (it varies at run time what it will do)
2) the ck_connector_close_session call in session_worker_child_watch and associated blocking consolekit work are effectively instantaneous
3) the slave takes a longer than normal time to shut down and get to the stop_all_conversations call that leads to the worker getting killed.
4) the race in the exploit wins

So we're in a lot better shape than upstream here.

Comment 9 Tomas Hoger 2011-03-25 15:57:25 UTC
Created attachment 487587 [details]
Patch from Ray Strode

Makes sure that gdm worker process forks + drops privileges before running user files caching code, to match the behaviour at the beginning of the session.

As noted in comment #7, change in RHEL6 gdm version cause that this caching at the end of the session does not get executed.

Comment 10 Jan Lieskovsky 2011-03-28 17:28:05 UTC
Public via upstream v2.32.1 release announcement:
[1] http://mail.gnome.org/archives/gdm-list/2011-March/msg00020.html

Comment 11 Jan Lieskovsky 2011-03-28 17:31:35 UTC
Created gdm tracking bugs for this issue

Affects: fedora-all [bug 691496]

Comment 12 Jan Lieskovsky 2011-03-28 17:34:22 UTC
This issue did NOT affect the versions of the gdm package, as shipped
with Red Hat Enterprise Linux 4 and 5.


This issue affects the version of the gdm package, as shipped with
Red Hat Enterprise Linux 6.


This issue affects the versions of the gdm package, as shipped with
Fedora release of 13 and 14.

Comment 13 errata-xmlrpc 2011-03-28 17:49:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0395 https://rhn.redhat.com/errata/RHSA-2011-0395.html

Note You need to log in before you can comment on or make changes to this bug.