DescriptionA vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs921764

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdm3 (PTS)jessie3.14.1-7vulnerable
jessie (security)3.14.1-7+deb8u1vulnerable
stretch (security), stretch3.22.3-3+deb9u2vulnerable
bullseye, sid3.34.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[stretch] - gdm3 <no-dsa> (Minor issue)
[jessie] - gdm3 <ignored> (Minor issue)

Search for package or bug name: Reporting problems