News on what exactly? The code isn't in trunk anymore, and we've applied
the patch to our releases.
If you're looking for a patch that doesn't use O_NOFOLLOW, you might as
well remove the offending code from lightdm altogether, that would be
the best solution.
--
You received this bug
Yes, good point, code is removed now, sorry for that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883865
Title:
lightdm doesn't drop privileges when reading ~/.dmrc
To manage notifications about
Any news on this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883865
Title:
lightdm doesn't drop privileges when reading ~/.dmrc
To manage notifications about this bug go to:
This patch seems to fix the problem.
** Patch added: 07_CVE-2011-4105.patch
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865/+attachment/2609002/+files/07_CVE-2011-4105.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Note that the patch uses O_NOFOLLOW flag to open() which is Linux-only.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883865
Title:
lightdm doesn't drop privileges when reading ~/.dmrc
To manage
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883865
Title:
lightdm doesn't drop privileges when reading ~/.dmrc
To manage notifications about this bug go to:
This bug was fixed in the package lightdm - 1.0.6-0ubuntu3
---
lightdm (1.0.6-0ubuntu3) precise; urgency=low
* SECURITY UPDATE: file contents disclosure via hard link
- debian/patches/04_CVE-2011-4105.patch: make sure file isn't a symlink
or a hard link before doing the