Executive Summary

Informations
Name MDVSA-2013:230 First vendor Publication 2013-09-11
Vendor Mandriva Last vendor Modification 2013-09-11
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been discovered and corrected in gdm:

GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/ (CVE-2013-4169).

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:230

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-59 Improper Link Resolution Before File Access ('Link Following')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21234
 
Oval ID: oval:org.mitre.oval:def:21234
Title: RHSA-2013:1213: gdm security update (Important)
Description: GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.
Family: unix Class: patch
Reference(s): RHSA-2013:1213-00
CESA-2013:1213
CVE-2013-4169
Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): gdm
initscripts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23089
 
Oval ID: oval:org.mitre.oval:def:23089
Title: ELSA-2013:1213: gdm security update (Important)
Description: GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.
Family: unix Class: patch
Reference(s): ELSA-2013:1213-00
CVE-2013-4169
Version: 6
Platform(s): Oracle Linux 5
Product(s): gdm
initscripts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27417
 
Oval ID: oval:org.mitre.oval:def:27417
Title: DEPRECATED: ELSA-2013-1213 -- gdm security update (important)
Description: gdm [2.16.0-59.0.1.el5_9.1] - Fix gdmconfig memory leaks [orabug 12734629] [2.16.0-59.1] - Don't try to pre-create directories that are internal implementation details of X. Resolves: #997619 CVE-2013-4169 initscripts [8.45.42-2.0.1.el5_9.1] - Do not rename eth devices. Orabug 14266688. Apply upstream patches: 0001-Remove-reference-to-rename_device.patch 0002-rename_device-dequote-DEVICE-eth0.patch 0003-dont_try_to_rename_devices.patch - change the ifup-eth and ifdown-eth script to use default leases file of dhclient. [Orabug 12434590] - Update oracle-enterprise.patch to do detection on /etc/oracle-release and /etc/enterprise-release - Patch x86_64 sysctl.conf as well as default sysctl.conf - Patch sysctl.conf to default rp_filter to loose reverse path filtering (has no effect for pre-2.6.32 kernels) [orabug 10286227] - Move hwclock into udev rules - Update oracle-enterprise.patch to fix RedHat references in arch specific sysctl.conf files in source tarball - Add oracle-enterprise.patch and update specfile - Don't attempt to re-enslave already-enslaved devices (#455537) (pknirsch@redhat.com) [8.45.42-2.1] - create /tmp/.X11-unix in rc.sysinit (#997622, CVE-2013-4169) [8.45.42-2] - added missing '-p p' for kpartx in netfs (#844671)
Family: unix Class: patch
Reference(s): ELSA-2013-1213
CVE-2013-4169
Version: 4
Platform(s): Oracle Linux 5
Product(s): gdm
initscripts
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 44

Nessus® Vulnerability Scanner

Date Description
2013-09-07 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1213.nasl - Type : ACT_GATHER_INFO
2013-09-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1213.nasl - Type : ACT_GATHER_INFO
2013-09-06 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1213.nasl - Type : ACT_GATHER_INFO
2013-09-06 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130905_gdm_on_SL5_x.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2013-09-12 13:24:08
  • Multiple Updates
2013-09-11 17:26:10
  • Multiple Updates
2013-09-11 17:21:47
  • First insertion