SB2012122103 - Multiple vulnerabilities in GNOME Display Manager
Published: December 21, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Link following (CVE-ID: CVE-2013-4169)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.
2) Credentials management (CVE-ID: CVE-2010-2387)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
Remediation
Install update from vendor's website.
References
- http://rhn.redhat.com/errata/RHSA-2013-1213.html
- http://secunia.com/advisories/54661
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=988498
- http://ftp.gnome.org/pub/GNOME/sources/gdm/2.20/gdm-2.20.11.changes
- http://secunia.com/advisories/40690
- http://secunia.com/advisories/40780
- http://www.auscert.org.au/13123
- http://www.osvdb.org/66643
- https://blogs.oracle.com/sunsecurity/entry/cve_2010_2387_password_disclosure
- https://bugzilla.gnome.org/show_bug.cgi?id=571846
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60642