SB2012122103 - Multiple vulnerabilities in GNOME Display Manager
Published: December 21, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Link following (CVE-ID: CVE-2013-4169)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.
2) Credentials management (CVE-ID: CVE-2010-2387)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
Remediation
Install update from vendor's website.
References
- http://rhn.redhat.com/errata/RHSA-2013-1213.html
- http://secunia.com/advisories/54661
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=988498
- http://ftp.gnome.org/pub/GNOME/sources/gdm/2.20/gdm-2.20.11.changes
- http://secunia.com/advisories/40690
- http://secunia.com/advisories/40780
- http://www.auscert.org.au/13123
- http://www.osvdb.org/66643
- https://blogs.oracle.com/sunsecurity/entry/cve_2010_2387_password_disclosure
- https://bugzilla.gnome.org/show_bug.cgi?id=571846
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60642