Bug 688323 - (CVE-2011-0727) CVE-2011-0727 gdm: privilege escalation vulnerability
CVE-2011-0727 gdm: privilege escalation vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 688908 688909 691496
  Show dependency treegraph
Reported: 2011-03-16 15:45 EDT by Vincent Danen
Modified: 2015-07-29 10:10 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 10:10:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch from Ray Strode (2.37 KB, patch)
2011-03-25 11:57 EDT, Tomas Hoger
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 679786 None None None Never

  None (edit)
Description Vincent Danen 2011-03-16 15:45:43 EDT
It was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user.  A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.


Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 3 Tomas Hoger 2011-03-18 07:01:30 EDT
This attack targets code that "caches" (copies) users' dmrc and face image files from user's home directory to /var/cache/gdm/$USER .  This feature was added in gdm version 2.28.0 according to the NEWS file:

  Version 2.28.0

  - Now the user's dmrc and face image files are stored in /var/cache/gdm, so 
    that the login process does not need to access the user's $HOME directory 
    before authentication.  Refer to bug #565151.

Upstream commit and related bugs:
Comment 7 Ray Strode [halfline] 2011-03-24 16:03:04 EDT
So this is going to be really really hard to exploit in RHEL 6 because of some patches we ship that SIGTERM the worker process before gdm_session_worker_cache_userfiles runs.

I say really really hard and not "impossible" because it's still theoretically possible to hit this bug if all of:

1) the dbus_connection_send call in gdm_session_direct_handle_session_exited decides to perform an immediate instead deferred send for the SessionExited reply message (it varies at run time what it will do)
2) the ck_connector_close_session call in session_worker_child_watch and associated blocking consolekit work are effectively instantaneous
3) the slave takes a longer than normal time to shut down and get to the stop_all_conversations call that leads to the worker getting killed.
4) the race in the exploit wins

So we're in a lot better shape than upstream here.
Comment 9 Tomas Hoger 2011-03-25 11:57:25 EDT
Created attachment 487587 [details]
Patch from Ray Strode

Makes sure that gdm worker process forks + drops privileges before running user files caching code, to match the behaviour at the beginning of the session.

As noted in comment #7, change in RHEL6 gdm version cause that this caching at the end of the session does not get executed.
Comment 10 Jan Lieskovsky 2011-03-28 13:28:05 EDT
Public via upstream v2.32.1 release announcement:
[1] http://mail.gnome.org/archives/gdm-list/2011-March/msg00020.html
Comment 11 Jan Lieskovsky 2011-03-28 13:31:35 EDT
Created gdm tracking bugs for this issue

Affects: fedora-all [bug 691496]
Comment 12 Jan Lieskovsky 2011-03-28 13:34:22 EDT
This issue did NOT affect the versions of the gdm package, as shipped
with Red Hat Enterprise Linux 4 and 5.


This issue affects the version of the gdm package, as shipped with
Red Hat Enterprise Linux 6.


This issue affects the versions of the gdm package, as shipped with
Fedora release of 13 and 14.
Comment 13 errata-xmlrpc 2011-03-28 13:49:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0395 https://rhn.redhat.com/errata/RHSA-2011-0395.html

Note You need to log in before you can comment on or make changes to this bug.