Re: CVE Request: ldm (LTSP display manager)

[Kurt Seifried <kseifried () redhat com>]

On 03/12/2012 02:03 PM, Marc Deslauriers wrote:
> Could we please get a CVE assigned to the following issue?:
>
> Starting with ldm 2.2.x, upstream switched to using wwm as a minimal window manager.
> It was discovered that wwm ships with keybindings that allow spawning an xterm.
>
> As the ldm greeter runs as root, this allows for a passwordless root shell.
>
> Bug:
> https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340
>
> Commit:
> http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/revision/1419
>
> Thanks,
>
> Marc.

Please use CVE-2012-1166 for this issue.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)