Security update for sddm SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2310-1 Final 1 1 2018-08-13T08:09:03Z current 2018-08-13T08:09:03Z 2018-08-13T08:09:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sddm This update for sddm fixes the following issues: The following security vulnerability was addressed: - CVE-2018-14345: Fixed the authentication, which did not check the password for users with an already existing session and allowed any user with access to the system bus to unlock any graphical session. (boo#1101450) The following other bugs were addressed: - Fallback to embedded theme, if none is set - Corrected section name for Wayland - Removed patch, which is no longer needed, because bug in libxcb was fixed in the meanwhile (boo#1099908) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00047.html E-Mail link for openSUSE-SU-2018:2310-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 sddm-0.17.0-lp150.9.3.1 sddm-branding-openSUSE-0.17.0-lp150.9.3.1 sddm-branding-upstream-0.17.0-lp150.9.3.1 sddm-0.17.0-lp150.9.3.1 as a component of openSUSE Leap 15.0 sddm-branding-openSUSE-0.17.0-lp150.9.3.1 as a component of openSUSE Leap 15.0 sddm-branding-upstream-0.17.0-lp150.9.3.1 as a component of openSUSE Leap 15.0 An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp. CVE-2018-14345 openSUSE Leap 15.0:sddm-0.17.0-lp150.9.3.1 openSUSE Leap 15.0:sddm-branding-openSUSE-0.17.0-lp150.9.3.1 openSUSE Leap 15.0:sddm-branding-upstream-0.17.0-lp150.9.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00047.html https://www.suse.com/security/cve/CVE-2018-14345.html CVE-2018-14345