Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473120 (CVE-2013-2179) - <x11-apps/xdm-1.1.11-r3: NULL pointer dereference (DoS) when verifying user credentials in FIPS-140 mode or using >=sys-libs/glibc-2.17 (CVE-2013-2179)
Summary: <x11-apps/xdm-1.1.11-r3: NULL pointer dereference (DoS) when verifying user c...
Status: RESOLVED FIXED
Alias: CVE-2013-2179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 475480
Blocks:
  Show dependency tree
 
Reported: 2013-06-12 17:05 UTC by Agostino Sarubbo
Modified: 2014-02-07 12:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-12 17:05:44 UTC
From ${URL} :

A NULL pointer dereference, leading to denial of service flaw was found in the way X.Org X11 xdm, X.Org X Display Manager, performed user credentials 
verification, when the FIPS-140 mode was enabled on the underlying Linux system or the xdm was compiled against glibc library of version of 2.17 and 
above. A local attacker could provide a specially-crafted input that, when processed would lead to xdm executable crash.

References:
[1] http://www.openwall.com/lists/oss-security/2013/06/11/5

Relevant upstream patch:
[2] http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=8d1eb5c74413e4c9a21f689fc106949b121c0117


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-06-12 17:17:22 UTC
glibc-2.17 does not exist in the stable tree, and what is "the FIPS-140 mode"?
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-30 13:34:19 UTC
Further info: "Without this fix, if xdm is built to use raw crypt() authentication, instead of a higher level system such as PAM or BSD Auth, and that crypt() function can return a NULL pointer (as glibc 2.17+ does for invalid input, such as when an account is locked by prepending a "!" to the password field), then attempting to login to such an account via xdm can crash the xdm daemon."
Comment 3 Sergey Popov gentoo-dev 2013-12-04 07:53:08 UTC
Thanks for your work.

GLSA vote: no
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 14:51:25 UTC
CVE-2013-2179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2179):
  X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing
  authentication using certain implementations of the crypt API function that
  can return NULL, allows remote attackers to cause a denial of service (NULL
  pointer dereference and crash) by attempting to log into an account whose
  password field contains invalid characters, as demonstrated using the crypt
  function from glibc 2.17 and later with (1) the "!" character in the salt
  portion of a password field or (2) a password that has been encrypted using
  DES or MD5 in FIPS-140 mode.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-07 12:04:17 UTC
GLSA vote: no.

Closing as [noglsa].