#11685: Generate a security patch for GDM Authentication Bypasses
-------------------------+-----------------------
Reporter: renodr | Owner: blfs-book
Type: enhancement | Status: new
Priority: high | Milestone: 8.4
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-----------------------
Another private report from an Arch Linux developer who prefers to remain
anonymous.
There are two authentication bypass vulnerabilities in GDM that were
discovered last week. This ticket is being defined to track them.
Vulnerability 1:
[https://bugzilla.redhat.com/show_bug.cgi?id=1672825]
[https://gitlab.gnome.org/GNOME/gdm/issues/460]
[https://gitlab.gnome.org/GNOME/gdm/merge_requests/58]
{{{
In some cases with timed login enabled, GDM will unlock a session for a
different user than typed their password
Burghard Britzke reported to [email protected] that he has found a bug in
GDM's timed login implementation.
Under the right circumstances, after the timed login timeout expires, a
running session may get misassociated with the timed login user instead of
the user that started the session. Further attempts to log in as the timed
login user will instead unlock the misassociated user session.
This only affects X.org since, we kill the login screen on wayland after
login.
Steps to reproduce:
create two users bubi(1000) and user gast(1001)
edit the [daemon] section of /etc/gdm/custom.conf to enable timed
login for the gast user
[daemon]
TimedLoginEnable=true
TimedLogin=gast
TimedLoginDelay=10
restart
login as user bubi(1000)
lock the screen
select Login as different user below the password field
select gast from the user list and enter the password for the gast
user
notice that the bubi user is unlocked instead of the gast user
}}}
Vulnerability 2:
{{{
Partial screen lock bypass via keybindings?
I noticed that on a locked Gnome screen, when you right-click on the
password text field, certain keyboard shortcuts are re-enabled.
Example1: right-click, the small menu (copy/paste/...) appears, then press
Super+F10. You can now see the front window menu, and eg you can close the
window, or change its parameters, etc.
Example2: right-click, press Alt+Screenshot, and a screenshot of the
window is taken and saved in the user's Pictures/ directory. It means that
someone can fill the disk with images.
Example3: press Alt+Super+S, and sometimes, Orca starts spelling you the
content of the window (which is supposed to be secret since the screen is
locked). It does not always do, not sure why. Note also that by then
enabling the virtual keyboard (by clicking on it in the accessibility
button that appeared on the upper-right corner of the screen), you can
then open (in the session, but not in gdm) the accessibility menu.
All of that doesn't look really intentional to me.
}}}
[https://gitlab.gnome.org/GNOME/gnome-shell/issues/851]
These vulnerabilities have been assigned IDs CVE-2019-3820 and
CVE-2019-3825 by Red Hat Product Security.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/11685>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
