Bug 53226

Comment 1 Thierry Carrez (RETIRED) 2004-06-07 08:21:23 UTC

CAN-2004-0419
Patch is attached on the xfree86 bug link (see URL)

xfree team : could you please apply that patch ? How do you think we can release this, as latest versions are masked ?

Comment 2 Donnie Berkholz (RETIRED) 2004-06-07 13:54:01 UTC

I'll get back to you later tonight.

Comment 3 Donnie Berkholz (RETIRED) 2004-06-07 23:43:58 UTC

The easiest thing for me to do would be:

1) Make a new ~arch xorg-x11-6.7.0-r1 with this fix, among others (I already had this in the works)
2) Add it to the current half-stable xorg-x11-6.7.0 and stabilize on any remaining arches, including x86.

This will leave any users of stabilized xorg-x11-6.7.0 (which include ppc, sparc, arm and amd64 users) without an automatic upgrade until 6.7.0-r1 is stabilized. I think this may be justified, given that this only affects users of xdm and really is minor -- not an exploit in the usual sense. All ~arch users on all arches and all other stable users would be upgraded automatically.

On the xfree side of things, the easiest thing would be:

1) Add it to xfree-4.3.0-r5, again no bump. 

For the same reason above, I find it a little difficult to justify a revision bump for this. People who want this fix can read the security advisory and remerge it. Because of a portage bug in dependencies, I'm unable to unmask xfree-4.3.0-r6 as-is, but I have trouble justifying this as a bump on its own.

Fortunately the licensing on this file in XFree86 is fine, so there's no problems moving the fix over.

ETA on this from my side: ~3-4 days (Friday 1700 UTC)

Please confirm or comment.

Comment 4 Kurt Lieber (RETIRED) 2004-06-08 02:34:28 UTC

Donnie --

Reading the ISS release (referenced in the first comment) it specifically says, "A remote attacker could exploit this vulnerability to gain access to the system."  Is this accurate?  If so, I'd say it justifies a version bump for both xorg and xfree.

Comment 5 Donnie Berkholz (RETIRED) 2004-06-08 10:50:13 UTC

This will allow a remote attacker to connect to the port, but that attacker must still authenticate as a local user would. It essentially prevents one from disallowing XDMCP requests.

So, if a user happens to use xdm (many users don't use any *dm, and if they do, it's rarely the ugliest one of all -- xdm), they're unable to prevent remote authentication to xdm without blocking ports via some other scheme, e.g. iptables.

But if you think a bump is justified, I'll go ahead and do so. Your call.

From the xdm man page:
       To disable listening for XDMCP connections altogther, a line of  LISTEN
       with  no addresses may be specified, or the previously supported method
       of setting DisplayManager.requestPort to 0 may be used.

Summary:
From a technical standpoint, this isn't what I would call an exploit -- it isn't free access into the system, it requires knowledge of a valid login. It prevents one from stopping remote logins.

Comment 6 Donnie Berkholz (RETIRED) 2004-06-08 10:50:35 UTC

This will allow a remote attacker to connect to the port, but that attacker must still authenticate as a local user would. It essentially prevents one from disallowing XDMCP requests.

So, if a user happens to use xdm (many users don't use any *dm, and if they do, it's rarely the ugliest one of all -- xdm), they're unable to prevent remote authentication to xdm without blocking ports via some other scheme, e.g. iptables.

But if you think a bump is justified, I'll go ahead and do so. Your call.

From the xdm man page:
       To disable listening for XDMCP connections altogther, a line of  LISTEN
       with  no addresses may be specified, or the previously supported method
       of setting DisplayManager.requestPort to 0 may be used.

Summary:
From a technical standpoint, this isn't what I would call an exploit -- it isn't free access into the system, it requires knowledge of a valid login. It prevents one from stopping remote logins.

Comment 7 Donnie Berkholz (RETIRED) 2004-06-11 01:40:40 UTC

I've just added xorg-x11-6.7.0-r1.ebuild. It needs to get to this keyword status:
KEYWORDS="~x86 ppc sparc ~mips ~alpha arm ~hppa amd64 ~ia64"

That's what the previous 6.7.0 had.

Comment 8 Donnie Berkholz (RETIRED) 2004-06-11 02:27:48 UTC

xfree-4.3.0-r6 is now a security update from 4.3.0-r5. The former 4.3.0-r6 with lots of changes has become -r7.

4.3.0-r6 needs the following keywords:
KEYWORDS="x86 ppc sparc alpha mips hppa amd64 ia64"

Currently it is ~x86 only.

I'm heading out of town for the weekend -- if there's anything more you need from X people, please ask seemant. You'll have to CC him, as he's not on the xfree alias.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2004-06-11 03:52:51 UTC

xorg 6.7.0-r1:

ppc sparc arm amd64: please mark stable
mips alpha hppa ia64: plase mark ~


xfree 4.3.0-r6:

x86 ppc sparc mips alpha hppa amd64 ia64: please mark stable

Comment 10 Ferris McCormick (RETIRED) 2004-06-11 04:49:23 UTC

xfree-4.3.0-r6 & xorg-x11-6.7.0-r1 are now keyworded ~sparc.  The keyword for xfree applies only
for the security update: because xfree is deprecated for sparc, which is following the xorg-x11 branch for X11.

Comment 11 Seemant Kulleen (RETIRED) 2004-06-11 09:14:43 UTC

no need to cc me, I'm on the security alias.

Comment 12 Bryan Østergaard (RETIRED) 2004-06-12 10:20:21 UTC

Keyworded on alpha.

Comment 13 SpanKY 2004-06-12 16:40:52 UTC

arm/hppa should be all set

Comment 14 Stephen Becker (RETIRED) 2004-06-13 07:23:43 UTC

mips is all good now

Comment 15 Ferris McCormick (RETIRED) 2004-06-14 08:30:55 UTC

xorg-x11-6.7.0-r1 is stable for sparc.  xfree on sparc is deprecated, but marked ~sparc.

Comment 16 Donnie Berkholz (RETIRED) 2004-06-14 13:00:52 UTC

By the way, you might want to refrain from using my comments for the security advisory. I'm not absolutely sure that's right, and 90% just isn't good enough. Probably base it off the other advisories instead.

Comment 17 Thierry Carrez (RETIRED) 2004-06-16 09:05:54 UTC

Stable keywords still needed :

xorg 6.7.0-r1: ppc amd64 ~ia64
xfree 4.3.0-r6: x86 ppc hppa amd64 ia64

Comment 18 Jason Huebel (RETIRED) 2004-06-16 13:03:59 UTC

xorg-x11 stable on amd64

Comment 19 Jason Huebel (RETIRED) 2004-06-16 13:31:12 UTC

xfree-4.3.0-r6 marked stable on amd64

Comment 20 Luca Barbato 2004-06-17 09:04:17 UTC

xorg-x11 marked ppc

Comment 21 Gustavo Zacarias (RETIRED) 2004-06-22 06:22:38 UTC

xfree-4.3.0-r6 stable for hppa, sorry for the delay.

Comment 22 Thierry Carrez (RETIRED) 2004-06-22 08:57:12 UTC

Keywords still missing :

xfree 4.3.0-r6: x86 ppc ia64
xorg 6.7.0-r1: ~ia64

x86, ppc : please mark stable so that the GLSA can go out.

Comment 23 Joshua J. Berry (CondorDes) (RETIRED) 2004-06-29 17:38:43 UTC

GLSA is drafted; we're just waiting for stabilization now.

x86, ppc: We're waiting on you.

Comment 24 Joshua J. Berry (CondorDes) (RETIRED) 2004-06-29 18:14:43 UTC

If I don't CC myself on this I'll lose track of it in the rest of the security@ mail ...

Comment 25 Aron Griffis (RETIRED) 2004-06-30 07:33:50 UTC

ok, I've marked xfree-r6 and xorg-r1 stable on ia64

Comment 26 Aron Griffis (RETIRED) 2004-06-30 07:34:07 UTC

ok, I've marked xfree-r6 and xorg-r1 stable on alpha and ia64

Comment 27 Luca Barbato 2004-07-01 08:04:11 UTC

xfree -r6 marked ppc

Comment 28 Thierry Carrez (RETIRED) 2004-07-05 13:31:10 UTC

Marked stable on x86 by klieber two days ago. Ready for GLSA publication.

Comment 29 Thierry Carrez (RETIRED) 2004-07-05 13:48:34 UTC

GLSA 200407-05