Bug 857899 (CVE-2013-7273) - VUL-1: CVE-2013-7273: gdm3 local DoS
Summary: VUL-1: CVE-2013-7273: gdm3 local DoS
Status: RESOLVED WONTFIX
Alias: CVE-2013-7273
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P4 - Low : Minor
Target Milestone: ---
Assignee: Dominique Leuenberger
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-08 13:04 UTC by Sebastian Krahmer
Modified: 2017-09-21 11:59 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2014-01-08 13:04:13 UTC 
Via OSS-sec:


Hm, if this warrants a CVE for lightdm, then gdm3 needs one also:

 https://bugzilla.gnome.org/show_bug.cgi?id=704284
 http://bugs.debian.org/683338

Basically, when gdm3 is configured to not show a list of users (but
instead shows a blank box for the login prompt), if the user clicks
"cancel" or hits the escape key, then the greeter gets put into a mode
without any way to log in (no prompts available).

I've tried to debug it but it appears to be due to some sort of
timing-dependent case.  When i step through the code with gdb, i haven't
been able to reproduce the issue.

It is definitely a bad situation for machines in public locations with
this configuration.
Comment 1 Sebastian Krahmer 2014-01-08 13:04:36 UTC 
CVE-2013-7273
Comment 2 Swamp Workflow Management 2014-01-10 23:00:13 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-07-03 09:30:46 UTC 
considering opensuse only
Comment 4 Dominique Leuenberger 2017-09-21 11:59:27 UTC 
The fallback greeter of gdm has long been removed - which obsoletes this bug.