On Thursday 28 December 2006 09:59, Josselin Mouette wrote: > Le mercredi 27 décembre 2006 à 23:55 +0100, Stefan Fritsch a écrit : > > Package: gconf2 > > Version: 2.16.0-3 > > Severity: important > > Tags: security > > > > A vulnerability has been reported in gconfd: > > > > The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files > > under directories with names based on the username, even when > > GCONF_GLOBAL_LOCKS is not set, which allows local users to cause > > a denial of service by creating the directories ahead of time, > > which prevents other users from using Gnome. > > > > See > > > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219279 > > http://bugzilla.gnome.org/show_bug.cgi?id=167030 > > > > for details. Please mention the CVE id in the changelog. > > This is a known problem that upstream doesn't find serious enough > to fix it. The solution is to turn on global locking by default - > currently it is enabled with the GCONF_LOCAL_LOCKS environment > variable. However, it can break when /home is on NFS with some kind > servers. I intended to make this change post-etch so that we had > time to see how it breaks. > > If the release managers want to, I can upload this change to > unstable. I can also provide a backport for etch if the security > team wants to issue an advisory, but be warned that this change is > not harmless - although an environment variable will enable local > locking if an user wants to revert to the current behavior.
There is a patch at http://bugzilla.gnome.org/show_bug.cgi?id=141138 which (AIUI) creates locking directories with random names. But I agree that this is not so important that some more or less untested solution should go into etch.
