gdm -- privilege escalation vulnerability

ID C6FBD447-59ED-11E0-8D04-0015F2DB7BDE
Type freebsd
Reporter FreeBSD
Modified 2011-03-28T00:00:00


Sebastian Krahmer reports:

It was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user. A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.