GLSA-200709-11 : GDM: Local Denial of Service

low Nessus Plugin ID 26101

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200709-11 (GDM: Local Denial of Service)

The result of a g_strsplit() call is incorrectly parsed in the files daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c and gui/gdmflexiserver.c, allowing for a NULL pointer dereference.
Impact :

A local user could send a crafted message to /tmp/.gdm_socket that would trigger the NULL pointer dereference and crash GDM, thus preventing it from managing future displays.
Workaround :

Restrict the write permissions on /tmp/.gdm_socket to trusted users only after each GDM restart.

Solution

All GDM users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose 'gnome-base/gdm'

See Also

https://security.gentoo.org/glsa/200709-11

Plugin Details

Severity: Low

ID: 26101

File Name: gentoo_GLSA-200709-11.nasl

Version: 1.15

Type: local

Published: 9/24/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 1.5

Vector: CVSS2#AV:L/AC:M/Au:S/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:gdm, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 9/18/2007

Reference Information

CVE: CVE-2007-3381

GLSA: 200709-11