Subject: [ASA-202011-5] gdm: privilege escalation Arch Linux Security Advisory ASA-202011-5 ========================================= Severity: High Date : 2020-11-10 CVE-ID : CVE-2020-16125 Package : gdm Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1264 Summary ======= The package gdm before version 3.38.2-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 3.38.2-1. # pacman -Syu "gdm>=3.38.2-1" The problem has been fixed upstream in version 3.38.2. Workaround ========== None. Description =========== gdm before 3.38.2 can be tricked into launching gnome-initial-setup, enabling an unprivileged user to create a new user account for themselves. The new account is a member of the sudo group, so this enables the unprivileged user to obtain admin privileges. Impact ====== An unprivileged local user might be able to elevate privileges to root. References ========== https://gitlab.gnome.org/GNOME/gdm/-/issues/642 https://security.archlinux.org/CVE-2020-16125