Ubuntu
lightdm package

Guest session clean up can remove other user's files

Bug #953044 reported by Martin Pitt
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Invalid
Undecided
Unassigned
gdm-guest-session (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Marc Deslauriers
Maverick
Fix Released
Undecided
Marc Deslauriers
Natty
Fix Released
Undecided
Marc Deslauriers
Oneiric
Won't Fix
Undecided
Unassigned
lightdm (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu ubuntu-12.04-beta-2
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
High
Martin Pitt
Ubuntu ubuntu-12.04-beta-2

Bug Description

/usr/sbin/guest-account has this cleanup:

  # remove leftovers in /tmp
  find /tmp -mindepth 1 -maxdepth 1 -uid "$UID" | xargs rm -rf || true

This runs with the cwd of the last logged in user. If the user creates a file "/tmp/x a", the file "a" gets removed from the last user's login.

Thanks to Ryan Lortie for discovering this!

Revision history for this message
Martin Pitt (pitti) wrote :

Same bug in gdm-guest-session. This exists up to oneiric, although it won't work at all in oneiric (we forgot to remove it).

no longer affects: lightdm (Ubuntu Lucid)
no longer affects: lightdm (Ubuntu Maverick)
no longer affects: lightdm (Ubuntu Natty)
no longer affects: gdm-guest-session (Ubuntu Precise)
Martin Pitt (pitti)
Changed in lightdm:
assignee: nobody → Martin Pitt (pitti)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdm-guest-session (Ubuntu Lucid):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Maverick):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Natty):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu Oneiric):
status: New → Confirmed
Changed in gdm-guest-session (Ubuntu):
status: New → Confirmed
Changed in lightdm (Ubuntu Oneiric):
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

This script is not in lightdm trunk, only in the packaging (/debian/guest-account)

Changed in lightdm:
assignee: Martin Pitt (pitti) → nobody
status: New → Invalid
Revision history for this message
Martin Pitt (pitti) wrote :

CC'ing Yves-Alexis Perez as he is the Debian maintainer. It only affects testing/unstable (if Debian ships the guest account script at all), so it doesn't need a DSA.

Revision history for this message
Martin Pitt (pitti) wrote :

Precise debdiff. I did not commit this to the packaging branch yet as this has not been published yet.

Revision history for this message
Martin Pitt (pitti) wrote :

Argh, the previous attachment was an older version which is broken.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Debian doesn't seem to ship the guest account script in their lightdm package, so this is likely Ubuntu-specific.

Please wait until I publish updates to the stable release before commiting this.

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0943

Changed in gdm-guest-session (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gdm-guest-session (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gdm-guest-session (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Thanks for the subscription. Indeed, we don't ship guest support (and now I know why)

Revision history for this message
Martin Pitt (pitti) wrote :

debdiff for oneiric's gdm-guest-session. Should apply well to older versions as well. I also fixed the cleanup in /var/cache/gdm/, although that's not an exploitable vulnerability.

Revision history for this message
Martin Pitt (pitti) wrote :

Closing precise task of gdm-guest-session, it's gone.

Changed in gdm-guest-session (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.6

---------------
lightdm (1.0.6-0ubuntu1.6) oneiric-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - debian/guest-account: Use find/xargs with 0 separators instead of
      spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:08:04 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.24ubuntu0.1

---------------
gdm-guest-session (0.24ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:12:10 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.17ubuntu0.1

---------------
gdm-guest-session (0.17ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:16:50 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.15ubuntu0.1

---------------
gdm-guest-session (0.15ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Guest session arbitrary file deletion (LP: #953044)
    - gdm/guest-session-cleanup.sh: Use find/xargs with 0 separators
      instead of spaces. Thanks to Martin Pitt for the fix.
    - Thanks to Ryan Lortie for reporting this issue.
    - CVE-2012-0943
 -- Marc Deslauriers <email address hidden> Mon, 12 Mar 2012 11:18:26 -0400

Changed in gdm-guest-session (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in gdm-guest-session (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in gdm-guest-session (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in lightdm (Ubuntu Oneiric):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
visibility: private → public
Changed in gdm-guest-session (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.1.7-0ubuntu2

---------------
lightdm (1.1.7-0ubuntu2) precise; urgency=low

  * debian/guest-account: Fix arbitrary file deletion in removal of guest
    files in /tmp. Use find/xargs with 0 separators instead of spaces.
    (LP: #953044, CVE-2012-0943)
 -- Martin Pitt <email address hidden> Tue, 13 Mar 2012 14:53:10 +0100

Changed in lightdm (Ubuntu Precise):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.