[LightDM] Using debian/guest-account.sh allows local privilege escalation

Robert Ancell robert.ancell at gmail.com
Tue Apr 4 21:21:04 UTC 2017


A bug has been recently discovered in the Ubuntu guest-account script that
can allow local privilege escalation.

Bug: https://bugs.launchpad.net/bugs/1677924
CVE: 2017-7358
Introduced in revision 2233 (1.17.1)
Affects stable branches: 1.18, 1.20, 1.22

This script is in the LightDM bzr branch, but it is *not in the tarballs*
(and so not installed as part of the build system).


1. If you are not using the guest session functionality, then no action is

2. If you are using the Ubuntu script or a derivative of it, then apply the
patch to fix the issue.

3. If you are using guest session support with your own script, please
check if your script has a similar issue.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/lightdm/attachments/20170404/5a8d8777/attachment.html>

More information about the LightDM mailing list