Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 07 Jan 2014 14:50:24 -0500

[replying to http://www.openwall.com/lists/oss-security/2014/01/07/5]

On 01/07/2014 05:47 AM, Guido Berhoerster wrote:
an openSUSE user discovered that it is trivial to crash
lightdm-gtk-greeter by entering an empty username due to a NULL
pointer dereference. When a greeter crashes the lightdm daemon
exits.
This constitutes a local denial of service which can be triggered
by any unprivileged attacker requiring the intervention of an
administrator to restart lightdm. It affects all versions of
lightdm-gtk-greeter.

Hm, if this warrants a CVE for lightdm, then gdm3 needs one also:

 https://bugzilla.gnome.org/show_bug.cgi?id=704284
 http://bugs.debian.org/683338

Basically, when gdm3 is configured to not show a list of users (but
instead shows a blank box for the login prompt), if the user clicks
"cancel" or hits the escape key, then the greeter gets put into a mode
without any way to log in (no prompts available).

I've tried to debug it but it appears to be due to some sort of
timing-dependent case.  When i step through the code with gdb, i haven't
been able to reproduce the issue.

It is definitely a bad situation for machines in public locations with
this configuration.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault