oss-sec mailing list archives

CVE Request: ldm (LTSP display manager)

From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Mon, 12 Mar 2012 16:03:50 -0400

Could we please get a CVE assigned to the following issue?:

Starting with ldm 2.2.x, upstream switched to using wwm as a minimal window manager.
It was discovered that wwm ships with keybindings that allow spawning an xterm.

As the ldm greeter runs as root, this allows for a passwordless root shell.

Bug:
https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340

Commit:
http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/revision/1419

Thanks,

Marc.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Current thread:

CVE Request: ldm (LTSP display manager) Marc Deslauriers (Mar 12)
- Re: CVE Request: ldm (LTSP display manager) Kurt Seifried (Mar 12)