Elevated rights through vulnerability in the Gnome Display Manager
An update for the Gnome Display Manager (GDM) currently being distributed by the Linux distributors, removes a vulnerability that allowed registered users to achieve elevated rights. The vulnerability stems from a format string bug in the GNOME Display Manager Host Chooser Window (gdmchooser) and could allow attackers to use dialog boxes to plant arbitrary code and execute it with gdm rights. The display manager uses gdmchooser to support the X Display Manager Control Protocol (XDMCP) to interact with other systems on the network.
Tests of Red Hat systems, by iDefense, showed that users could not, by default, access gdmchooser, but this is not necessarily the case for all Linux systems, since certain pre-set display settings make gdmchooser available. The error has been removed in versions 2.14.11, 2.16.4 and 2.17.4 of the GNOME Display Manager.
In early December, distributors were forced to issue a new package for the GNOME Display Manager to eliminate a buffer overflow in the libgsf library.
- GNOME Foundation Display Manager gdmchooser Format String Vulnerability, bug report from iDefense
- Updated gdm packages fix string vulnerability, bug report from Mandriva