** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3349
** Description changed: Hey, as you were on CC: I guess you're already aware, but reporting so it can be tracked upstream. Short version: http://seclists.org/oss-sec/2011/q3/393 Long version: .dmrc and Xauthority files are written by lightdm running as root while they're in user controlled folders. An user can, via a symlink, overwrite root-owned files. It doesn't look like it can achieve easily privilege-escalation (since the content is quite fixed) but it's still bad. Basically the correct fix seems to have workers process which would setuid() to the user before writing content to those files. - There's no CVE affected yet. + CVE-2011-3349 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/834079 Title: files written as root to user-controlled folders Status in Light Display Manager: Triaged Status in “lightdm” package in Ubuntu: In Progress Status in “lightdm” source package in Oneiric: In Progress Status in “lightdm” package in Debian: Confirmed Bug description: Hey, as you were on CC: I guess you're already aware, but reporting so it can be tracked upstream. Short version: http://seclists.org/oss-sec/2011/q3/393 Long version: .dmrc and Xauthority files are written by lightdm running as root while they're in user controlled folders. An user can, via a symlink, overwrite root-owned files. It doesn't look like it can achieve easily privilege-escalation (since the content is quite fixed) but it's still bad. Basically the correct fix seems to have workers process which would setuid() to the user before writing content to those files. CVE-2011-3349 To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/834079/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp