ISS X-Force Database: gdm-dos(13447): GDM denial of service

GDM denial of service

gdm-dos (13447)

Medium Risk

Description:

GNOME Display Manager (GDM) is vulnerable to a denial of service. A local attacker could send a number of bytes to gdm to consume all available memory and cause gdm to hang or crash.

Consequences:

Denial of Service

Remedy:

For Mandrake Linux:
Upgrade to the latest gdm package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:100 : gdm for more information. See References.

Mandrake Linux 9.2: 2.4.4.0-2.1.92mdk
Mandrake Linux 9.1: 2.4.1.6-0.4.91mdk or later
Mandrake Linux Corporate Server 2.1: 2.4.1.6-0.4.90mdk or later

For Conectiva Linux:
Upgrade to the latest gdm package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:766 for more information. See References.

Conectiva Linux 8: 2.2.5.4-3U80_2cl or later
Conectiva Linux 9: 2.4.1.6-27238U90_2cl or later

For Slackware Linux:
Upgrade to the latest gdm package, as listed below. Refer to slackware-security Mailing List, Mon, 27 Oct 2003 12:07:30 -0800 (PST) for more information. See References.

Slackware Linux 9.0: 2.4.1.7 or later
Slackware Linux 9.1 and -current: 2.4.4.5 or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Conectiva Linux Security Announcement CLSA-2003:766: gdm.
slackware-security Mailing List, Mon, 27 Oct 2003 12:07:30 -0800 (PST): gdm security update (SSA:2003-300-01).
BID-8846: Multiple GDM Local Denial Of Service Vulnerabilities
CVE-2003-0793: GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restrict the size of input, which allows attackers to cause a denial of service (memory consumption).
MDKSA-2003:100: Updated gdm packages fix local vulnerabilities
OSVDB ID: 2683: GDM Input Size Memory Consumption Local DoS

Platforms Affected:

Conectiva Linux 8.0
Conectiva Linux 9.0
GNOME GNOME Display Manager (GDM) prior to 2.4.1.7
MandrakeSoft Mandrake Linux 9.1
MandrakeSoft Mandrake Linux 9.1 PPC
MandrakeSoft Mandrake Linux 9.2
MandrakeSoft Mandrake Linux Corporate Server 2.1
MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
Slackware Slackware Linux 9.0
Slackware Slackware Linux 9.1
Slackware Slackware Linux current

Reported:

Oct 16, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page