Debian Security Advisory
DLA-2064-1 ldm -- LTS security update
- Date Reported:
- 10 Jan 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2019-20373.
- More information:
It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation.
LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.
For Debian 8
Jessie, these problems have been fixed in version 2:2.2.15-2+deb8u1.
We recommend that you upgrade your ldm packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS