Re: Re: [LightDM] Version 1.0.6 released

[Guido Berhoerster <gber () opensuse org>]

* Marc Deslauriers <marc.deslauriers () canonical com> [2011-11-09 16:47]:
> On Wed, 2011-11-02 at 10:40 -0600, Kurt Seifried wrote:
> > On 11/02/2011 10:31 AM, Yves-Alexis Perez wrote:
> > > On mer., 2011-11-02 at 10:16 -0600, Kurt Seifried wrote:
> > > > On 11/02/2011 09:54 AM, Yves-Alexis Perez wrote:
> > > > > On mer., 2011-11-02 at 11:42 -0400, Robert Ancell wrote:
> > > > > > Fixes a security issue where using ~/.Xauthority as a symlink would
> > > > > > cause LightDM to set the destination of the link to user ownership.
> > > > > > All users of 1.0.4 or 1.0.5 should upgrade immediately.
> > > > > >
> > > > > > Overview of changes in lightdm 1.0.6
> > > > > >
> > > > > >     * Use lchown for correcting ownership of ~/.Xauthority instead of chown
> > > > > Could a CVE be assigned for this?
> > > > >
> > > > > Regards,
> > > > Can you send me the link to this announcement so I can confirm it? Thanks.
> > > Here's the link to the mailing list mail:
> > > http://lists.freedesktop.org/archives/lightdm/2011-November/000178.html 
> > >
> > > Regards,
> > Thanks, confirmed (first hand info is much better). Please use
> > CVE-2011-4105 for this issue.
>
> BTW, the fix that is in 1.0.6 is probably not enough for distros that
> don't implement hard link restrictions, such as the Yama LSM that is
> used in Ubuntu.

Does an incomplete fix in a released version warrant a new CVE?

I've attached a suggested fix.
-- 
Guido Berhoerster

Attachment: fix-xauthority-ownership-fix.patch
Description: