[LightDM] Version 1.0.6 released

Yves-Alexis Perez corsac at debian.org
Wed Nov 2 10:24:37 PDT 2011


On mer., 2011-11-02 at 18:18 +0100, Guido Berhoerster wrote:
> * Yves-Alexis Perez <corsac at debian.org> [2011-11-02 18:00]:
> > On mer., 2011-11-02 at 11:42 -0400, Robert Ancell wrote:
> > > Fixes a security issue where using ~/.Xauthority as a symlink would
> > > cause LightDM to set the destination of the link to user ownership.
> > > All users of 1.0.4 or 1.0.5 should upgrade immediately.
> > > 
> > > Overview of changes in lightdm 1.0.6
> > > 
> > >     * Use lchown for correcting ownership of ~/.Xauthority instead of chown
> > > _______________________________________________
> > 
> > This has been affected CVE-2011-4105.
> > 
> > I don't remember exactly, but is there a reason for not doing the work
> > that as the target user, instead of chown'ing it?
> 
> The code in question here corrects the ownership of .Xauthority
> files previously written as root by LightDM < 0.9.8 (which was
> CVE-2011-3349).
> 
Thanks!

-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/lightdm/attachments/20111102/85b36b6c/attachment.pgp>


More information about the LightDM mailing list