Scientific Linux Security Update : gdm on SL6.x i386/x86_64
2012-08-01T00:00:00
ID SL_20110329_GDM_ON_SL6_X.NASL Type nessus Reporter Tenable Modified 2012-08-01T00:00:00
Description
The GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.
A race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727)
We would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#
include("compat.inc");
if (description)
{
script_id(60998);
script_version("$Revision: 1.1 $");
script_cvs_date("$Date: 2012/08/01 14:38:55 $");
script_cve_id("CVE-2011-0727");
script_name(english:"Scientific Linux Security Update : gdm on SL6.x i386/x86_64");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Scientific Linux host is missing one or more security
updates."
);
script_set_attribute(
attribute:"description",
value:
"The GNOME Display Manager (GDM) provides the graphical login screen,
shown shortly after boot up, log out, and when user-switching.
A race condition flaw was found in the way GDM handled the cache
directories used to store users' dmrc and face icon files. A local
attacker could use this flaw to trick GDM into changing the ownership
of an arbitrary file via a symbolic link attack, allowing them to
escalate their privileges. (CVE-2011-0727)
We would like to thank Sebastian Krahmer of the SuSE Security Team for
reporting this issue."
);
# http://listserv.fnal.gov/scripts/wa.exe?A2=ind1103&L=scientific-linux-errata&T=0&P=10293
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?cfae23c8"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
script_set_attribute(attribute:"patch_publication_date", value:"2011/03/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2012 Tenable Network Security, Inc.");
script_family(english:"Scientific Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
flag = 0;
if (rpm_check(release:"SL6", reference:"gdm-2.30.4-21.el6_0.1")) flag++;
if (rpm_check(release:"SL6", reference:"gdm-libs-2.30.4-21.el6_0.1")) flag++;
if (rpm_check(release:"SL6", reference:"gdm-plugin-fingerprint-2.30.4-21.el6_0.1")) flag++;
if (rpm_check(release:"SL6", reference:"gdm-plugin-smartcard-2.30.4-21.el6_0.1")) flag++;
if (rpm_check(release:"SL6", reference:"gdm-user-switch-applet-2.30.4-21.el6_0.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "SL_20110329_GDM_ON_SL6_X.NASL", "bulletinFamily": "scanner", "title": "Scientific Linux Security Update : gdm on SL6.x i386/x86_64", "description": "The GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727)\n\nWe would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.", "published": "2012-08-01T00:00:00", "modified": "2012-08-01T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60998", "reporter": "Tenable", "references": ["http://www.nessus.org/u?cfae23c8"], "cvelist": ["CVE-2011-0727"], "type": "nessus", "lastseen": "2017-10-29T13:41:39", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-0727"], "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727)\n\nWe would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.", "edition": 1, "enchantments": {}, "hash": "4dc71d91daa75be7b62342849b1a9f3e161d95a1516b721ff50c6add8edb66f8", "hashmap": [{"hash": "ff0a49ac31c21a4ff5bdc5073f668c3e", "key": "description"}, {"hash": "0a3e9e773f0266bbda2fbffd506c83d9", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "6a1acd12b339790f85a4783cccd8ed63", "key": "sourceData"}, {"hash": "27a93a5003386b1edcd7507f21ad10fe", "key": "references"}, {"hash": "74c604e8b9f9db48194a6457dc531e73", "key": "pluginID"}, {"hash": "d67753189b7bd1c5e38747a3a72f585f", "key": "href"}, {"hash": "b3a4d461a1383c8ba9fa401b58d29827", "key": "naslFamily"}, {"hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3ff4afbf9eedf98937c2e5c5cf13456f", "key": "published"}, {"hash": "1b450201bdc3966e03c8568c8ebe6b4d", "key": "title"}, {"hash": "3ff4afbf9eedf98937c2e5c5cf13456f", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=60998", "id": "SL_20110329_GDM_ON_SL6_X.NASL", "lastseen": "2016-09-26T17:25:35", "modified": "2012-08-01T00:00:00", "naslFamily": "Scientific Linux Local Security Checks", "objectVersion": "1.2", "pluginID": "60998", "published": "2012-08-01T00:00:00", "references": ["http://www.nessus.org/u?cfae23c8"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60998);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2012/08/01 14:38:55 $\");\n\n script_cve_id(\"CVE-2011-0727\");\n\n script_name(english:\"Scientific Linux Security Update : gdm on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The GNOME Display Manager (GDM) provides the graphical login screen,\nshown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache\ndirectories used to store users' dmrc and face icon files. A local\nattacker could use this flaw to trick GDM into changing the ownership\nof an arbitrary file via a symbolic link attack, allowing them to\nescalate their privileges. (CVE-2011-0727)\n\nWe would like to thank Sebastian Krahmer of the SuSE Security Team for\nreporting this issue.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1103&L=scientific-linux-errata&T=0&P=10293\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cfae23c8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"gdm-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-libs-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-plugin-fingerprint-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-plugin-smartcard-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-user-switch-applet-2.30.4-21.el6_0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Scientific Linux Security Update : gdm on SL6.x i386/x86_64", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:35"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "b1e432cd926620a2b9bd9816ef9503c6"}, {"key": "cvelist", "hash": "0a3e9e773f0266bbda2fbffd506c83d9"}, {"key": "cvss", "hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9"}, {"key": "description", "hash": "ff0a49ac31c21a4ff5bdc5073f668c3e"}, {"key": "href", "hash": "d67753189b7bd1c5e38747a3a72f585f"}, {"key": "modified", "hash": "3ff4afbf9eedf98937c2e5c5cf13456f"}, {"key": "naslFamily", "hash": "b3a4d461a1383c8ba9fa401b58d29827"}, {"key": "pluginID", "hash": "74c604e8b9f9db48194a6457dc531e73"}, {"key": "published", "hash": "3ff4afbf9eedf98937c2e5c5cf13456f"}, {"key": "references", "hash": "27a93a5003386b1edcd7507f21ad10fe"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "6a1acd12b339790f85a4783cccd8ed63"}, {"key": "title", "hash": "1b450201bdc3966e03c8568c8ebe6b4d"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "e6d16201bebbe61fba258c6a641b101283ac3e94f79beb7b4e7510bde5721c7d", "viewCount": 0, "enchantments": {"vulnersScore": 7.2}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60998);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2012/08/01 14:38:55 $\");\n\n script_cve_id(\"CVE-2011-0727\");\n\n script_name(english:\"Scientific Linux Security Update : gdm on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The GNOME Display Manager (GDM) provides the graphical login screen,\nshown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache\ndirectories used to store users' dmrc and face icon files. A local\nattacker could use this flaw to trick GDM into changing the ownership\nof an arbitrary file via a symbolic link attack, allowing them to\nescalate their privileges. (CVE-2011-0727)\n\nWe would like to thank Sebastian Krahmer of the SuSE Security Team for\nreporting this issue.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1103&L=scientific-linux-errata&T=0&P=10293\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cfae23c8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"gdm-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-libs-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-plugin-fingerprint-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-plugin-smartcard-2.30.4-21.el6_0.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"gdm-user-switch-applet-2.30.4-21.el6_0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Scientific Linux Local Security Checks", "pluginID": "60998", "cpe": ["x-cpe:/o:fermilab:scientific_linux"]}
{"result": {"cve": [{"id": "CVE-2011-0727", "type": "cve", "title": "CVE-2011-0727", "description": "GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/.", "published": "2011-03-31T18:55:02", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0727", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-08-17T10:42:41"}], "nessus": [{"id": "FEDORA_2011-4351.NASL", "type": "nessus", "title": "Fedora 13 : gdm-2.30.2-2.fc13 (2011-4351)", "description": "This update addresses a local root exploit for GDM.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-04-15T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53437", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:43:45"}, {"id": "UBUNTU_USN-1099-1.NASL", "type": "nessus", "title": "Ubuntu 9.10 / 10.04 LTS / 10.10 : gdm vulnerability (USN-1099-1)", "description": "Sebastian Krahmer discovered that GDM (GNOME Display Manager) did not properly drop privileges when handling the cache directories used to store users' dmrc and face icon files. This could allow a local attacker to change the ownership of arbitrary files, thereby gaining root privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-03-31T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53238", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:43:17"}, {"id": "SUSE_11_3_GDM-110330.NASL", "type": "nessus", "title": "openSUSE Security Update : gdm (openSUSE-SU-2011:0275-1)", "description": "Local users could trick gdm into changing ownership of arbitrary files by placing symlinks in the user session cache (CVE-2011-0727).", "published": "2014-06-13T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75511", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:44:55"}, {"id": "SUSE_11_4_GDM-110330.NASL", "type": "nessus", "title": "openSUSE Security Update : gdm (openSUSE-SU-2011:0275-1)", "description": "Local users could trick gdm into changing ownership of arbitrary files by placing symlinks in the user session cache (CVE-2011-0727).", "published": "2014-06-13T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75847", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:43:46"}, {"id": "DEBIAN_DSA-2205.NASL", "type": "nessus", "title": "Debian DSA-2205-1 : gdm3 - privilege escalation", "description": "Sebastian Krahmer discovered that GDM 3, the GNOME Display Manager, does not properly drop privileges when manipulating files related to the logged-in user. As a result, local users can gain root privileges.\n\nThe oldstable distribution (lenny) does not contain a gdm3 package.\nThe gdm package is not affected by this issue.", "published": "2011-03-29T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53198", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:36:26"}, {"id": "REDHAT-RHSA-2011-0395.NASL", "type": "nessus", "title": "RHEL 6 : gdm (RHSA-2011:0395)", "description": "Updated gdm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727)\n\nRed Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.\n\nAll users should upgrade to these updated packages, which contain a backported patch to correct this issue. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM.", "published": "2011-03-29T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53207", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:34:28"}, {"id": "FEDORA_2011-4335.NASL", "type": "nessus", "title": "Fedora 14 : gdm-2.32.1-2.fc14 (2011-4335)", "description": "This update addresses a local root exploit.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-04-04T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53265", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:36:22"}, {"id": "ORACLELINUX_ELSA-2011-0395.NASL", "type": "nessus", "title": "Oracle Linux 6 : gdm (ELSA-2011-0395)", "description": "From Red Hat Security Advisory 2011:0395 :\n\nUpdated gdm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727)\n\nRed Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue.\n\nAll users should upgrade to these updated packages, which contain a backported patch to correct this issue. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM.", "published": "2013-07-12T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68241", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:40:29"}, {"id": "FREEBSD_PKG_C6FBD44759ED11E08D040015F2DB7BDE.NASL", "type": "nessus", "title": "FreeBSD : gdm -- privilege escalation vulnerability (c6fbd447-59ed-11e0-8d04-0015f2db7bde)", "description": "Sebastian Krahmer reports :\n\nIt was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user. A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.", "published": "2011-03-30T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53217", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:41:45"}, {"id": "MANDRIVA_MDVSA-2011-070.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : gdm (MDVSA-2011:070)", "description": "A vulnerability has been found and corrected in gdm :\n\nGNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/ (CVE-2011-0727).\n\nThe updated packages have been patched to correct this issue.", "published": "2011-04-11T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53349", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-10-29T13:32:56"}], "debian": [{"id": "DSA-2205", "type": "debian", "title": "gdm3 -- privilege escalation", "description": "Sebastian Krahmer discovered that GDM 3, the GNOME Display Manager, does not properly drop privileges when manipulating files related to the logged-in user. As a result, local users can gain root privileges.\n\nThe oldstable distribution (lenny) does not contain a gdm3 package. The gdm package is not affected by this issue.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 2.30.5-6squeeze2.\n\nFor the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your gdm3 packages.", "published": "2011-03-28T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2205", "cvelist": ["CVE-2011-0727"], "lastseen": "2016-09-02T18:33:56"}], "openvas": [{"id": "OPENVAS:862965", "type": "openvas", "title": "Fedora Update for gdm FEDORA-2011-4335", "description": "Check for the Version of gdm", "published": "2011-04-06T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862965", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-25T10:55:52"}, {"id": "OPENVAS:1361412562310122210", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2011-0395", "description": "Oracle Linux Local Security Checks ELSA-2011-0395", "published": "2015-10-06T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122210", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-24T12:53:09"}, {"id": "OPENVAS:136141256231069415", "type": "openvas", "title": "Debian Security Advisory DSA 2205-1 (gdm3)", "description": "The remote host is missing an update to gdm3\nannounced via advisory DSA 2205-1.", "published": "2011-05-12T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069415", "cvelist": ["CVE-2011-0727"], "lastseen": "2018-04-06T11:34:32"}, {"id": "OPENVAS:831370", "type": "openvas", "title": "Mandriva Update for gdm MDVSA-2011:070 (gdm)", "description": "Check for the Version of gdm", "published": "2011-04-11T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=831370", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-24T12:55:42"}, {"id": "OPENVAS:1361412562310870684", "type": "openvas", "title": "RedHat Update for gdm RHSA-2011:0395-01", "description": "Check for the Version of gdm", "published": "2012-06-06T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870684", "cvelist": ["CVE-2011-0727"], "lastseen": "2018-04-06T11:20:24"}, {"id": "OPENVAS:862985", "type": "openvas", "title": "Fedora Update for gdm FEDORA-2011-4351", "description": "Check for the Version of gdm", "published": "2011-04-19T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=862985", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-25T10:55:47"}, {"id": "OPENVAS:870684", "type": "openvas", "title": "RedHat Update for gdm RHSA-2011:0395-01", "description": "Check for the Version of gdm", "published": "2012-06-06T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870684", "cvelist": ["CVE-2011-0727"], "lastseen": "2018-01-02T10:58:15"}, {"id": "OPENVAS:1361412562310862965", "type": "openvas", "title": "Fedora Update for gdm FEDORA-2011-4335", "description": "Check for the Version of gdm", "published": "2011-04-06T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862965", "cvelist": ["CVE-2011-0727"], "lastseen": "2018-04-09T11:37:55"}, {"id": "OPENVAS:69415", "type": "openvas", "title": "Debian Security Advisory DSA 2205-1 (gdm3)", "description": "The remote host is missing an update to gdm3\nannounced via advisory DSA 2205-1.", "published": "2011-05-12T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=69415", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-24T12:55:23"}, {"id": "OPENVAS:69358", "type": "openvas", "title": "FreeBSD Ports: gdm", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2011-05-12T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=69358", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-07-02T21:13:45"}], "oraclelinux": [{"id": "ELSA-2011-0395", "type": "oraclelinux", "title": "gdm security update", "description": "[2.30.4-21.0.2.el6_0.1]\n- Added oracle-enterprise.patch to show oracle-release contents.\n[2.30.4-21.1]\n- Fix CVE-2011-0727", "published": "2011-03-28T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0395.html", "cvelist": ["CVE-2011-0727"], "lastseen": "2016-09-04T11:16:03"}], "ubuntu": [{"id": "USN-1099-1", "type": "ubuntu", "title": "GDM vulnerability", "description": "Sebastian Krahmer discovered that GDM (GNOME Display Manager) did not properly drop privileges when handling the cache directories used to store users\u2019 dmrc and face icon files. This could allow a local attacker to change the ownership of arbitrary files, thereby gaining root privileges.", "published": "2011-03-30T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1099-1/", "cvelist": ["CVE-2011-0727"], "lastseen": "2018-03-29T18:20:18"}], "freebsd": [{"id": "C6FBD447-59ED-11E0-8D04-0015F2DB7BDE", "type": "freebsd", "title": "gdm -- privilege escalation vulnerability", "description": "\nSebastian Krahmer reports:\n\nIt was discovered that the GNOME Display Manager (gdm) cleared the cache\n\t directory, which is owned by an unprivileged user, with the privileges of the\n\t root user. A race condition exists in gdm where a local user could take\n\t advantage of this by writing to the cache directory between ending the session\n\t and the signal to clean up the session, which could lead to the execution of\n\t arbitrary code as the root user.\n\n", "published": "2011-03-28T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/c6fbd447-59ed-11e0-8d04-0015f2db7bde.html", "cvelist": ["CVE-2011-0727"], "lastseen": "2016-09-26T17:24:44"}], "redhat": [{"id": "RHSA-2011:0395", "type": "redhat", "title": "(RHSA-2011:0395) Moderate: gdm security update", "description": "The GNOME Display Manager (GDM) provides the graphical login screen, shown\nshortly after boot up, log out, and when user-switching.\n\nA race condition flaw was found in the way GDM handled the cache\ndirectories used to store users' dmrc and face icon files. A local attacker\ncould use this flaw to trick GDM into changing the ownership of an\narbitrary file via a symbolic link attack, allowing them to escalate their\nprivileges. (CVE-2011-0727)\n\nRed Hat would like to thank Sebastian Krahmer of the SuSE Security Team for\nreporting this issue.\n\nAll users should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. GDM must be restarted for this\nupdate to take effect. Rebooting achieves this, but changing the runlevel\nfrom 5 to 3 and back to 5 also restarts GDM.\n", "published": "2011-03-28T04:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0395", "cvelist": ["CVE-2011-0727"], "lastseen": "2017-12-25T20:05:57"}], "gentoo": [{"id": "GLSA-201412-09", "type": "gentoo", "title": "Multiple packages, Multiple vulnerabilities fixed in 2011", "description": "### Background\n\nFor more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild. \n\n### Description\n\nVulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. \n\n * FMOD Studio\n * PEAR Mail\n * LVM2\n * GnuCash\n * xine-lib\n * Last.fm Scrobbler\n * WebKitGTK+\n * shadow tool suite\n * PEAR\n * unixODBC\n * Resource Agents\n * mrouted\n * rsync\n * XML Security Library\n * xrdb\n * Vino\n * OProfile\n * syslog-ng\n * sFlow Toolkit\n * GNOME Display Manager\n * libsoup\n * CA Certificates\n * Gitolite\n * QtCreator\n * Racer\n\n### Impact\n\nA context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. \n\n### Workaround\n\nThere are no known workarounds at this time.\n\n### Resolution\n\nAll FMOD Studio users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/fmod-4.38.00\"\n \n\nAll PEAR Mail users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/PEAR-Mail-1.2.0\"\n \n\nAll LVM2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-fs/lvm2-2.02.72\"\n \n\nAll GnuCash users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-office/gnucash-2.4.4\"\n \n\nAll xine-lib users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/xine-lib-1.1.19\"\n \n\nAll Last.fm Scrobbler users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=media-sound/lastfmplayer-1.5.4.26862-r3\"\n \n\nAll WebKitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-1.2.7\"\n \n\nAll shadow tool suite users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/shadow-4.1.4.3\"\n \n\nAll PEAR users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/PEAR-PEAR-1.9.2-r1\"\n \n\nAll unixODBC users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/unixODBC-2.3.0-r1\"\n \n\nAll Resource Agents users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=sys-cluster/resource-agents-1.0.4-r1\"\n \n\nAll mrouted users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/mrouted-3.9.5\"\n \n\nAll rsync users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/rsync-3.0.8\"\n \n\nAll XML Security Library users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/xmlsec-1.2.17\"\n \n\nAll xrdb users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-apps/xrdb-1.0.9\"\n \n\nAll Vino users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/vino-2.32.2\"\n \n\nAll OProfile users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-util/oprofile-0.9.6-r1\"\n \n\nAll syslog-ng users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/syslog-ng-3.2.4\"\n \n\nAll sFlow Toolkit users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/sflowtool-3.20\"\n \n\nAll GNOME Display Manager users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=gnome-base/gdm-3.8.4-r3\"\n \n\nAll libsoup users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/libsoup-2.34.3\"\n \n\nAll CA Certificates users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-misc/ca-certificates-20110502-r1\"\n \n\nAll Gitolite users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/gitolite-1.5.9.1\"\n \n\nAll QtCreator users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-util/qt-creator-2.1.0\"\n \n\nGentoo has discontinued support for Racer. We recommend that users unmerge Racer: \n \n \n # emerge --unmerge \"games-sports/racer-bin\"\n \n\nNOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues.", "published": "2014-12-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201412-09", "cvelist": ["CVE-2011-1572", "CVE-2010-4197", "CVE-2011-2472", "CVE-2010-4204", "CVE-2010-3257", "CVE-2011-1097", "CVE-2009-4111", "CVE-2010-1783", "CVE-2011-0465", "CVE-2010-3812", "CVE-2007-4370", "CVE-2010-3389", "CVE-2010-1787", "CVE-2010-1807", "CVE-2011-2473", "CVE-2011-3366", "CVE-2010-1780", "CVE-2009-4023", "CVE-2011-1144", "CVE-2010-4578", "CVE-2011-0904", "CVE-2010-4042", "CVE-2010-2526", "CVE-2010-1786", "CVE-2011-0721", "CVE-2010-1785", "CVE-2011-3365", "CVE-2011-0482", "CVE-2011-2471", "CVE-2010-4493", "CVE-2010-3255", "CVE-2010-1790", "CVE-2010-1788", "CVE-2010-2901", "CVE-2010-3374", "CVE-2011-2524", "CVE-2010-1815", "CVE-2011-0007", "CVE-2011-0905", "CVE-2010-1782", "CVE-2010-1814", "CVE-2010-1792", "CVE-2011-1760", "CVE-2010-3362", "CVE-2010-3259", "CVE-2010-4206", "CVE-2010-1812", "CVE-2010-1791", "CVE-2010-4577", "CVE-2010-4198", "CVE-2010-1784", "CVE-2010-4492", "CVE-2011-1425", "CVE-2011-1072", "CVE-2011-3367", "CVE-2011-0727", "CVE-2011-1951", "CVE-2010-3813", "CVE-2010-3999", "CVE-2010-0778", "CVE-2010-1793"], "lastseen": "2016-09-06T19:46:21"}]}}
