[LightDM] Using debian/guest-account.sh allows local privilege escalation

Robert Ancell robert.ancell at gmail.com
Tue Apr 4 21:21:04 UTC 2017


Hi,

A bug has been recently discovered in the Ubuntu guest-account script that
can allow local privilege escalation.

Bug: https://bugs.launchpad.net/bugs/1677924
CVE: 2017-7358
Introduced in revision 2233 (1.17.1)
Affects stable branches: 1.18, 1.20, 1.22

This script is in the LightDM bzr branch, but it is *not in the tarballs*
(and so not installed as part of the build system).

Actions:

1. If you are not using the guest session functionality, then no action is
required.

2. If you are using the Ubuntu script or a derivative of it, then apply the
patch to fix the issue.

3. If you are using guest session support with your own script, please
check if your script has a similar issue.

Thanks,
--Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/lightdm/attachments/20170404/5a8d8777/attachment.html>


More information about the LightDM mailing list