[ASA-201903-3] gdm: access restriction bypass
Arch Linux Security Advisory ASA-201903-3 ========================================= Severity: High Date : 2019-03-03 CVE-ID : CVE-2019-3820 CVE-2019-3825 Package : gdm Type : access restriction bypass Remote : No Link : https://security.archlinux.org/AVG-879 Summary ======= The package gdm before version 3.30.3-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 3.30.3-1. # pacman -Syu "gdm>=3.30.3-1" The problems have been fixed upstream in version 3.30.3. Workaround ========== None. Description =========== - CVE-2019-3820 (access restriction bypass) A partial screen lock bypass via keybindings has been found in gdm <= 3.30.2, allowing a local attacker to unlock a session under certain circumstances. - CVE-2019-3825 (access restriction bypass) An issue has been found in gdm <= 3.30.2, allowing a local attacker with valid credentials to unlock the session for a different user than their own. Impact ====== A local attacker can unlock session if they have other valid credentials, or under certain circumstances. References ========== https://gitlab.gnome.org/GNOME/gnome-shell/issues/851 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825 https://gitlab.gnome.org/GNOME/gdm/issues/460 https://security.archlinux.org/CVE-2019-3820 https://security.archlinux.org/CVE-2019-3825
participants (1)
-
Morten Linderud