| Name | CVE-2019-3825 |
| Description | A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 921764 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| gdm3 (PTS) | jessie, jessie (lts) | 3.14.1-7+deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 3.22.3-3+deb9u3 | vulnerable |
| buster | 3.30.2-3 | fixed |
| bullseye | 3.38.2.1-1 | fixed |
| bookworm | 43.0-3 | fixed |
| sid, trixie | 47.0-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| gdm3 | source | wheezy | (unfixed) | end-of-life | | |
| gdm3 | source | (unstable) | 3.30.2-3 | low | | 921764 |
Notes
[stretch] - gdm3 <no-dsa> (Minor issue)
[jessie] - gdm3 <ignored> (Minor issue)
https://gitlab.gnome.org/GNOME/gdm/issues/460