Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 611352 (CVE-2017-2625)

Summary: <x11-libs/libXdmcp-1.1.2-r1: weak entropy usage for session keys
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: x11
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: ~1 [glsa cve]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2017-03-02 00:06:00 UTC
Summary and Impact
To further explore the auth mechanism libXdmcp-1.1.2 was checked as well.

XDM uses weak entropy to generate the session keys on non BSD systems:

> void XdmcpGenerateKey (XdmAuthKeyPtr key)
> {
>    long    lowbits, highbits;
>    srandom ((int)getpid() ^ time((Time_t *)0));
>    lowbits = random ();
>    highbits = random ();
>    getbits (lowbits, key->data);
>    getbits (highbits, key->data + 4);
>   #else
>     arc4random_buf(key->data, 8);
>   #endif
> }

On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user. Several checked Linux distributions (debian, archlinux and Ubuntu) did not link against libbsd at the time this was found.

Compile against libbsd.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-03-02 00:10:27 UTC
We will have to check, most Gentoo architectures shouldn't be affected due to

> elibc_glibc? ( dev-libs/libbsd )
Comment 2 Matt Turner gentoo-dev 2017-03-02 03:28:00 UTC
Yes, libXdmcp-1.1.2-r1 contains the dependency on libbsd, and it is stable everywhere (except arm64).
Comment 3 Matt Turner gentoo-dev 2017-03-04 16:12:17 UTC
Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...

arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1
Comment 4 Matt Turner gentoo-dev 2017-03-16 16:13:27 UTC
Vulnerable versions dropped:

commit 5d04eb33c23b663f017c70b3e9b6e266784d55c8
Author: Matt Turner <>
Date:   Thu Mar 16 09:12:30 2017 -0700

    x11-libs/libXdmcp: Drop vulnerable versions.
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-03-16 18:05:29 UTC
(In reply to Matt Turner from comment #3)
> Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...
> arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1

arm64 stable, last arch done.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-03-18 13:15:30 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:36:01 UTC
This issue was resolved and addressed in
 GLSA 201704-03 at
by GLSA coordinator Kristian Fiskerstrand (K_F).