Your message dated Fri, 23 Apr 2010 19:58:43 +0200 with message-id <1272045523.28986.2.camel@tomoyo> and subject line Re: Bug#578928: gdm3: gives shell-access as user Debian-gdm to everyone has caused the Debian Bug report #578928, regarding gdm3: gives shell-access as user Debian-gdm to everyone to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 578928: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578928 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: gdm3: gives shell-access as user Debian-gdm to everyone
- From: Johann Felix Soden <johfel@gmx.de>
- Date: Fri, 23 Apr 2010 18:20:08 +0200
- Message-id: <20100423172658.D99C938600A@LAPJFS>
Package: gdm3 Version: 2.30.0-2 Severity: grave Tags: security Justification: user security hole If I enable the screen-reader in the login manager, a gnome-terminal window is opened. There everyone can get shell access as user Debian-gdm by creating a new profile. The following processes are running: gnome-terminal -x /usr/bin/orca --no-setup --disable main-window --disable magnifier --enable speech /usr/bin/python -c import orca.orca; orca.orca.main() --no-setup --disable main-window --disable magnifier --enable speech After enabling and disabling the screen reader several times, the gnome-terminal window disappears immediately each time. Only the python process keeps running. This behaviour continues until gdm3 is restarted. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages gdm3 depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii gconf2 2.28.1-3 GNOME configuration database syste ii gnome-session [x-sessio 2.30.0-1 The GNOME Session Manager - GNOME ii gnome-session-bin 2.30.0-1 The GNOME Session Manager - Minima ii gnome-terminal [x-termi 2.30.0-1 The GNOME terminal emulator applic ii kde-window-manager [x-w 4:4.3.4-5+b1 the KDE 4 window manager (KWin) ii konsole [x-terminal-emu 4:4.3.4-1 X terminal emulator for KDE 4 ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libattr1 1:2.4.44-1 Extended attribute shared library ii libaudit0 1.7.13-1+b1 Dynamic library for security audit ii libbonobo2-0 2.24.3-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.24.3-1 The Bonobo UI library ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra ii libcanberra-gtk0 0.22-1 Gtk+ helper for playing widget eve ii libcanberra0 0.22-1 a simple abstract interface for pl ii libdbus-1-3 1.2.24-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.86-1 simple interprocess messaging syst ii libdevkit-power-gobject 1:0.9.2-1 abstraction for power management - ii libfontconfig1 2.8.0-2 generic font configuration library ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib ii libgconf2-4 2.28.1-3 GNOME configuration database syste ii libglib2.0-0 2.24.0-1 The GLib library of C routines ii libgnome2-0 2.30.0-1 The GNOME library - runtime files ii libgnomecanvas2-0 2.30.1-1 A powerful object-oriented display ii libgtk2.0-0 2.20.0-3 The GTK+ graphical user interface ii liborbit2 1:2.14.18-0.1 libraries for ORBit2 - a CORBA ORB ii libpam-modules 1.1.1-2 Pluggable Authentication Modules f ii libpam-runtime 1.1.1-2 Runtime support for the PAM librar ii libpam0g 1.1.1-2 Pluggable Authentication Modules l ii libpanel-applet2-0 2.28.0-3 library for GNOME Panel applets ii libpango1.0-0 1.28.0-1 Layout and rendering of internatio ii libpolkit-gobject-1-0 0.96-2 PolicyKit Authorization API ii libpolkit-gtk-1-0 0.96-2 PolicyKit GTK+ API ii libpopt0 1.15-1 lib for parsing cmdline parameters ii librsvg2-common 2.26.2-1 SAX-based renderer library for SVG ii libselinux1 2.0.94-1 SELinux runtime shared libraries ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra ii libx11-6 2:1.3.3-3 X11 client-side library ii libxau6 1:1.0.5-2 X11 authorisation library ii libxdmcp6 1:1.0.3-2 X11 Display Manager Control Protoc ii libxklavier16 5.0-2 X Keyboard Extension high-level AP ii libxml2 2.7.7.dfsg-2 GNOME XML library ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii metacity [x-window-mana 1:2.30.1-1 lightweight GTK+ window manager ii policykit-1-gnome 0.96-2 GNOME authentication agent for Pol ii upower 0.9.2-1 abstraction for power management ii xfwm4 [x-window-manager 4.6.1-1 window manager of the Xfce project ii xterm [x-terminal-emula 256-1 X terminal emulator ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages gdm3 recommends: ii at-spi 1.30.0-2 Assistive Technology Service Provi ii gnome-icon-theme 2.30.1-1 GNOME Desktop icon theme ii gnome-power-manager 2.30.0-1 power management tool for the GNOM ii gnome-settings-daemon 2.28.1-3 daemon handling the GNOME session ii xnest 2:1.7.6.901-3 Nested X server ii xserver-xephyr 2:1.7.6.901-3 nested X server ii xserver-xorg 1:7.5+5 the X.Org X server ii zenity 2.30.0-1 Display graphical dialog boxes fro Versions of packages gdm3 suggests: ii gnome-mag 1:0.15.9-1 a screen magnifier for the GNOME d ii gnome-orca 2.30.0-1 Scriptable screen reader ii libpam-gnome-keyring 2.30.0-2 PAM module to unlock the GNOME key
--- End Message ---
--- Begin Message ---
- To: Johann Felix Soden <johfel@gmx.de>, 578928-done@bugs.debian.org
- Subject: Re: Bug#578928: gdm3: gives shell-access as user Debian-gdm to everyone
- From: Josselin Mouette <joss@debian.org>
- Date: Fri, 23 Apr 2010 19:58:43 +0200
- Message-id: <1272045523.28986.2.camel@tomoyo>
- In-reply-to: <20100423172658.D99C938600A@LAPJFS>
- References: <20100423172658.D99C938600A@LAPJFS>
reassign 578928 gnome-orca fixed 578928 2.30.0-2 thanks Le vendredi 23 avril 2010 à 18:20 +0200, Johann Felix Soden a écrit : > If I enable the screen-reader in the login manager, a gnome-terminal window is > opened. There everyone can get shell access as user Debian-gdm by creating a > new profile. Thanks for the report. It was a problem in orca rather than gdm3 itself, and I have uploaded a fixed version. -- .''`. Josselin Mouette : :' : `. `' “If you behave this way because you are blackmailed by someone, `- […] I will see what I can do for you.” -- Jörg SchillingAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---