This patch seems to fix the problem. ** Patch added: "07_CVE-2011-4105.patch" https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865/+attachment/2609002/+files/07_CVE-2011-4105.patch
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/883865 Title: lightdm doesn't drop privileges when reading ~/.dmrc Status in “lightdm” package in Ubuntu: Fix Released Status in “lightdm” source package in Oneiric: Fix Released Status in “lightdm” source package in Precise: Fix Released Bug description: LightDM doesn't drop privileges when reading the ~/.dmrc file. This allows a local user to read configuration files he would normally not have read permissions for, for example, mysql configuration files that contain passwords. How to reproduce: 1- Create a /etc/app.conf file owned by root with 600 permissions, containing the following: [App] password=xyz 2- Log in as a regular user 3- rm ~/.dmrc 4- ln -s /etc/app.conf ~/.dmrc 5- Log out, log back in 6- look at ~/.dmrc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
