Bug#973748: marked as done (sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 13 Nov 2020 11:03:37 +0000
with message-id <E1kdWrh-00097J-Rm@fasolo.debian.org>
and subject line Bug#973748: fixed in sddm 0.18.0-1+deb10u1
has caused the Debian Bug report #973748,
regarding sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
973748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973748
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 04 Nov 2020 13:52:12 +0100
• Message-id: <[🔎] 160449433254.22150.933936578574498063.reportbug@lorien.valinor.li>

Source: sddm
Version: 0.18.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for sddm.

CVE-2020-28049[0]:
| local privilege escalation due to race condition in creation of the
| Xauthority file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28049
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28049
[1] https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222
[2] https://bugzilla.suse.com/show_bug.cgi?id=1177201
[3] https://www.openwall.com/lists/oss-security/2020/11/04/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 973748-close@bugs.debian.org
• Subject: Bug#973748: fixed in sddm 0.18.0-1+deb10u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 13 Nov 2020 11:03:37 +0000
• Message-id: <E1kdWrh-00097J-Rm@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: sddm
Source-Version: 0.18.0-1+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
sddm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973748@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sddm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Nov 2020 15:29:27 +0100
Source: sddm
Architecture: source
Version: 0.18.0-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 973748
Changes:
 sddm (0.18.0-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix X not having access control on startup (CVE-2020-28049)
     (Closes: #973748)
Checksums-Sha1: 
 6a6813f739dd6f78a3b4b358d85ca64ba5d57d33 2834 sddm_0.18.0-1+deb10u1.dsc
 d6b5dc3ec560acdfa3afb6e7a88d062b45378930 3526688 sddm_0.18.0.orig.tar.gz
 d7b2b8a20ec040be316fedb2f213249a339f1a2f 52856 sddm_0.18.0-1+deb10u1.debian.tar.xz
Checksums-Sha256: 
 4257601035f4a2c0a50afaf120e7d4fd1418aac2ef6b44d9497c52eab3a6eeec 2834 sddm_0.18.0-1+deb10u1.dsc
 9c50b6194f1b4dbf6e1a1b21f23c2c5e384871172985e192b91585986d38eec4 3526688 sddm_0.18.0.orig.tar.gz
 6e3a85f8af20d9b5f6a5b91ed2552f680ff964e6ba85ced3eb5659bee7522a54 52856 sddm_0.18.0-1+deb10u1.debian.tar.xz
Files: 
 17bef940125e17671ee5b7abd44be783 2834 kde optional sddm_0.18.0-1+deb10u1.dsc
 f8656aa61020c727b6925225fa681996 3526688 kde optional sddm_0.18.0.orig.tar.gz
 bd8ea261aacb78364696f0dfafd7d643 52856 kde optional sddm_0.18.0-1+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+ivGxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/qIP/RkmzS3V14XpjILPGJYs0fFqvii6l6AZ
d8I6u/KUdn4Q+6nZ5YGDLvNTqC8Q5/TcaaNSoJ3drxBB2lretIISLPGsweeNDPpk
ldccd97uvEUTRQAhquWppqJUbYaiYkTPvUeMArYGOuKnkimOGJXTgJ8ZWH05ziSb
xpXQmDHzkTren8OONCasvk5d83RKo7J6UelS/fhPIDPOb0wtBgbx3DIWvLNIMW/k
vTSUFf9VjAwas93AEIpBPoT3qkPt8gda3JBaMx7lptAia8FNO/7XT+oKHEjrKowS
8slTDM/noNjpankoicUBNAoBpsh5Fv6/Y8uVf8DyYx4mVFzzRDB7R3s4eZLEukDj
I5PpG8f2lavp3/OjCxs27pJ4pdUA3ZjKcpDDH99qp0V5DAzMBE+5/0CdPbxxY8Hb
Xmm/RR0/OwguRIwuUNytoTDJzUUJ4ZTwB2lkfOewnpaRaQNCuplh4AlMojRug2zV
YKc2mq6cCktVYUNLhiuWTsgBlAIFs37eatRnHBMhfO6k9Sfa7c9KJEAeTYnkjGrz
+YJR1/h1UPczsQYfcFnnZK5JGG483f095/NgruDhEKNKPKTLxJrulAkOv0Vy+Tz7
eJ/CBz6UgeMVaaJFMwNuFR8UFcW3UEZ4si1VqhwhIpzxY3wbXFovHNatsqsqvmrY
oSsdDiaEXnqi
=cFtB
-----END PGP SIGNATURE-----

--- End Message ---