GDM denial of service

gdm-dos (13447)

Low Risk

Description:

GNOME Display Manager (GDM) is vulnerable to a denial of service. A local attacker could send a number of bytes to gdm to consume all available memory and cause gdm to hang or crash.

Platforms Affected:

• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• GNOME, GNOME Display Manager (GDM) prior to 2.4.1.7
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.2
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• Slackware, Slackware Linux 9.0
• Slackware, Slackware Linux 9.1
• Slackware, Slackware Linux current

Remedy:

For Mandrake Linux:
Upgrade to the latest gdm package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:100 : gdm for more information. See References.

Mandrake Linux 9.2: 2.4.4.0-2.1.92mdk
Mandrake Linux 9.1: 2.4.1.6-0.4.91mdk or later
Mandrake Linux Corporate Server 2.1: 2.4.1.6-0.4.90mdk or later

For Conectiva Linux:
Upgrade to the latest gdm package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:766 for more information. See References.

Conectiva Linux 8: 2.2.5.4-3U80_2cl or later
Conectiva Linux 9: 2.4.1.6-27238U90_2cl or later

For Slackware Linux:
Upgrade to the latest gdm package, as listed below. Refer to slackware-security Mailing List, Mon, 27 Oct 2003 12:07:30 -0800 (PST) for more information. See References.

Slackware Linux 9.0: 2.4.1.7 or later
Slackware Linux 9.1 and -current: 2.4.4.5 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

• Conectiva Linux Security Announcement CLSA-2003:766, gdm at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000766.
• slackware-security Mailing List, Mon, 27 Oct 2003 12:07:30 -0800 (PST), gdm security update (SSA:2003-300-01) at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.388783.
• BID-8846: Multiple GDM Local Denial Of Service Vulnerabilities
• CVE-2003-0793: GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restrict the size of input, which allows attackers to cause a denial of service (memory consumption).
• MDKSA-2003:100: Updated gdm packages fix local vulnerabilities

Reported:

Oct 16, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page