[oss-security] CVE Request: ldm (LTSP display manager)

Could we please get a CVE assigned to the following issue?:

Starting with ldm 2.2.x, upstream switched to using wwm as a minimal window manager.
It was discovered that wwm ships with keybindings that allow spawning an xterm.

As the ldm greeter runs as root, this allows for a passwordless root shell.

Bug:
https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340

Commit:
http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/revision/1419

Thanks,

Marc.

-- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/

• This message: [ Message body ]
• Next message: Kurt Seifried: "Re: [oss-security] CVE request: openssl: null pointer dereference issue"
• Previous message: Kurt Seifried: "Re: [oss-security] CVE Request -- openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry"
• Next in thread: Kurt Seifried: "Re: [oss-security] CVE Request: ldm (LTSP display manager)"
• Reply: Kurt Seifried: "Re: [oss-security] CVE Request: ldm (LTSP display manager)"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]