|
|
Subscribe / Log in / New account

lxdm: two vulnerabilities

Package(s):lxdm CVE #(s):
Created:October 19, 2015 Updated:October 26, 2015
Description: From the Red Hat bugzilla:

1268900: X server in F22 allows X clients to connect even when they have no valid MIT-MAGIC authentication cookie. Connections are accepted from different users (i.e. are not related to 'xhost +si:localuser:`id -un`'). I could reproduce this with both X session started from *dm (lxdm in my case) as well as X server started manually from the text console. Besides Xorg, I quickly tested with Xephyr and Xnest - they also seem affected in the same way.

846086: lxdm leaks open file descriptors to user sessions. Looking at the processes started from the xfce4 session menus, lot of them have /var/log/lxdm.log opened as fd 1, allowing user to write to the file that is root:root 640.

Alerts:
Mageia MGASA-2015-0411 lxdm 2015-10-25
Fedora FEDORA-2015-7766c0d939 lxdm 2015-10-17
Fedora FEDORA-2015-adbae85c55 lxdm 2015-10-17
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds