[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 826/06 - Ubuntu Security Notice: USN-396-1 - gdm vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 UNIRAS (UK Government CERT) Briefing - 826/06 dated 15.12.06 time 14:45
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)
______________________________________________________________________________

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________

Title
=====

Ubuntu Security Notice: USN-396-1 - gdm vulnerability

Detail
======

A format string vulnerability was discovered in the gdmchooser component of the 
GNOME Display Manager.  By typing a specially crafted host name, local users 
could gain gdm user privileges, which could lead to further account information exposure.


=========================================================== 
Ubuntu Security Notice USN-396-1          December 14, 2006
gdm vulnerability
CVE-2006-6105
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS:
  gdm                                      2.14.10-0ubuntu1.1

Ubuntu 6.10:
  gdm                                      2.16.1-0ubuntu4.1

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

Details follow:

A format string vulnerability was discovered in the gdmchooser component of the GNOME Display Manager.  By typing a specially
crafted host name, local users could gain gdm user privileges, which could lead to further account information exposure.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1.diff.gz
      Size/MD5:    75226 062d37bcd1e10af4ed62467cb411cd2a
    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1.dsc
      Size/MD5:      886 85410f15a0ac5d3e78afd528675bb070
    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10.orig.tar.gz
      Size/MD5:  4699371 5a3767866e33bab2f553eccaa448b260

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1_amd64.deb
      Size/MD5:  1788460 d2ab3139edb370415541b32dc2ff8224

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1_i386.deb
      Size/MD5:  1722546 ac6d2fbc6e6ff9979543a6a0f9ab755e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1_powerpc.deb
      Size/MD5:  1771750 77cf61ea08fa7f6fa9541cf3555aefae

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.14.10-0ubuntu1.1_sparc.deb
      Size/MD5:  1732952 0c9d3b1b35c0003a8ec9555620bb86fd

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1.diff.gz
      Size/MD5:    78060 309e27f53d2461f82fd6345e218adc15
    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1.dsc
      Size/MD5:      883 c2d212cf7792747c0402b94bfbb6aed5
    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1.orig.tar.gz
      Size/MD5:  4878838 a2e68fac4763f1cf1050eeb19accb43f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1_amd64.deb
      Size/MD5:  1774968 f616e84bcdb3e14a36971d83f43ab7c3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1_i386.deb
      Size/MD5:  1727524 9a2cbc1b3977738e32f506cf5cfc1617

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1_powerpc.deb
      Size/MD5:  1762732 fc833e0417bbc5d785ae653d12bd904f

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.16.1-0ubuntu4.1_sparc.deb
      Size/MD5:  1723264 6ba26002800130986e94d112d839fedf



______________________________________________________________________________

NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

UNIRAS wishes to acknowledge the contributions of Ubuntu for the
information contained in this briefing.
______________________________________________________________________________

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRYK1Oml7oeQsXfKvEQL/fACgorK6FCoQ/zhvxSWGsp+62lKl7wkAn25U
XHEAGhFrZgZ+QrJXwRig0Op0
=SDOt
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________