270345 – <x11-misc/slim-slim-1.3.1_p20091114 insecure xauth secret (CVE requested)

Bug 270345 - <x11-misc/slim-slim-1.3.1_p20091114 insecure xauth secret (CVE requested)

Summary: <x11-misc/slim-slim-1.3.1_p20091114 insecure xauth secret (CVE requested)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	306961
Blocks:
	Show dependency tree

Reported:	2009-05-18 19:04 UTC by Robert Buchholz (RETIRED)
Modified:	2010-09-29 21:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch from Debian (xauth_secret_support.patch.diff,9.12 KB, patch) 2010-02-20 13:17 UTC, Doktor Notor	no flags	Details \| Diff
Patch from Debian (xauth_secret_support.patch,8.68 KB, patch) 2010-02-20 14:09 UTC, Doktor Notor	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 19:04:17 UTC

On Monday 18 May 2009, Nico Golde wrote:
> slim insecurely generates the x authorization file:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306

Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester

2009-05-18 19:48:27 UTC

Interesting, FWIW..upstream is basically dead so I would assume this is at NeedPatch for now, unless someone comes from the debian bug report.

Comment 2 Mansour Moufid 2009-12-13 00:55:02 UTC

Apparently this is no longer an issue as of slim 1.3.1-2:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306#56>

Comment 3 Doktor Notor 2010-02-20 13:17:16 UTC

Created attachment 220459 [details, diff]
Patch from Debian

Comment 4 Doktor Notor 2010-02-20 14:09:06 UTC

Created attachment 220471 [details, diff]
Patch from Debian

Eh OK, I'd rather attach the real patch (instead of the patch to create real patch Debian way)...

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2010-02-20 14:27:15 UTC

Thanks for your comment.

Maintainers, please provide a fixed ebuild.

Comment 6 Jeremy Olexa (darkside) (RETIRED) archtester

2010-03-28 03:27:46 UTC

New snapshot is in the tree (bug 306961). I would like to wait a few days before stabilization for any bug reports to arise.

Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester

2010-04-03 21:48:44 UTC

@security team: New snapshot is not any worse than current stable. I endorse adding arches. Feel free... :)

Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester

2010-04-08 04:55:47 UTC

(In reply to comment #7)
> @security team: New snapshot is not any worse than current stable. I endorse
> adding arches. Feel free... :)
> 

Hmm, I guess we will continue now.

Keywords: slim-1.3.1-r5[0]: amd64 ppc ppc64 sparc x86 
Keywords: slim-1.3.1_p20091114[0]: ~amd64 ~ppc ~ppc64 ~sparc ~x86

Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-04-08 07:29:05 UTC

x86 stable

Comment 10 Brent Baude (RETIRED) gentoo-dev

2010-04-12 18:50:52 UTC

ppc64 done

Comment 11 Brent Baude (RETIRED) gentoo-dev

2010-04-15 14:32:19 UTC

ppc done

Comment 12 Markus Meier gentoo-dev

2010-04-15 19:54:41 UTC

amd64 stable

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2010-05-04 18:55:24 UTC

sparc stable

Comment 14 Jeremy Olexa (darkside) (RETIRED) archtester

2010-07-31 02:26:16 UTC

removing myself, nothing left for me to do.

Comment 15 Alex Legler (RETIRED) archtester

2010-08-30 11:03:27 UTC

GLSA vote: NO

Comment 16 Stefan Behte (RETIRED) gentoo-dev

2010-09-29 21:12:37 UTC

Unlikely to be exploited, so my GLSA vote is NO, too. Closing noglsa.