lp://qastaging/lightdm/1.22
- Get this branch:
- bzr branch lp://qastaging/lightdm/1.22
Branch merges
Related bugs
Bug #1663157: Guest session processes are not confined in 16.10 and newer releases | Undecided | New | |
Bug #1707187: Export autologin-session to greeter | Wishlist | Fix Committed | |
Bug #1718565: Timed autologin doesn't use autologin-session | Medium | Fix Committed |
Related blueprints
Branch information
Recent revisions
- 2480. By Robert Ancell
-
Expose autologin-session as a hint to the greeter
Based on a patch by Roland Tapken.
- 2479. By Robert Ancell
-
* SECURITY UPDATE: Guest session not confined (LP: #1663157)
- debian/50-disable- guest.conf:
- debian/lightdm. install:
- Disable guest sessions by default, this can be overridden by custom
configuration (e.g. /etc/lightdm/lightdm. conf)
- CVE-2017-8900 - 2478. By Robert Ancell
-
* SECURITY UPDATE: Directory traversal allowing arbitrary directory
ownership and privilege escalation (LP: #1677924)
- debian/guest-account. sh: Detect existing malicious guest user home dirs
before proceeding with guest user creation
- CVE-2017-7358 - 2477. By Tyler Hicks
-
Detect existing malicious guest user home dirs
It was discovered that a local attacker could watch for lightdm's
guest-account script to create a /tmp/guest-XXXXXX file and then quickly
create the lowercase representation of the guest user's home directory
before lightdm could. This allowed the attacker to have control of the
guest user's home directory and, subsequently, gain control of an
arbitrary directory in the filesystem which could lead to privilege
escalation.This patch fixes the issue by detecting failures in creating a directory
for the guest user's home directory. If the file (directory, symlink,
etc.) already exists at the path, mkdir will fail and the script will
exit. This means that it is still possible for a local user to carry out
a denial of service on the guest user login feature.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://qastaging/lightdm