Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 53226 - x11-base/xfree: xdm open socket allows access
Summary: x11-base/xfree: xdm open socket allows access
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://bugs.xfree86.org/show_bug.cgi?...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-07 08:11 UTC by Lance Albertson (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
jaervosz: Assigned_To? (jaervosz)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lance Albertson (RETIRED) gentoo-dev 2004-06-07 08:11:36 UTC
I saw this in my recent SANS @RISK email.

04.22.13 CVE: Not Available
Platform: Cross Platform
Title: XFree86 XDM Configuration Setting Bypass
Description: xdm is an X11 window display manager. xdm has been
reported to ignore its "DisplayManager.requestPort" configuration
setting. Even if set to false, xdm will open its "chooserFd" TCP
socket on all network interfaces, which could lull the user into a
false sense of security.
Ref: http://bugs.xfree86.org/show_bug.cgi?id=1376

Did some more searching and found this site that talks about it also.

http://xforce.iss.net/xforce/xfdb/16264
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-07 08:21:23 UTC
CAN-2004-0419
Patch is attached on the xfree86 bug link (see URL)

xfree team : could you please apply that patch ? How do you think we can release this, as latest versions are masked ?
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-07 13:54:01 UTC
I'll get back to you later tonight.
Comment 3 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-07 23:43:58 UTC
The easiest thing for me to do would be:

1) Make a new ~arch xorg-x11-6.7.0-r1 with this fix, among others (I already had this in the works)
2) Add it to the current half-stable xorg-x11-6.7.0 and stabilize on any remaining arches, including x86.

This will leave any users of stabilized xorg-x11-6.7.0 (which include ppc, sparc, arm and amd64 users) without an automatic upgrade until 6.7.0-r1 is stabilized. I think this may be justified, given that this only affects users of xdm and really is minor -- not an exploit in the usual sense. All ~arch users on all arches and all other stable users would be upgraded automatically.

On the xfree side of things, the easiest thing would be:

1) Add it to xfree-4.3.0-r5, again no bump. 

For the same reason above, I find it a little difficult to justify a revision bump for this. People who want this fix can read the security advisory and remerge it. Because of a portage bug in dependencies, I'm unable to unmask xfree-4.3.0-r6 as-is, but I have trouble justifying this as a bump on its own.

Fortunately the licensing on this file in XFree86 is fine, so there's no problems moving the fix over.

ETA on this from my side: ~3-4 days (Friday 1700 UTC)

Please confirm or comment.
Comment 4 Kurt Lieber (RETIRED) gentoo-dev 2004-06-08 02:34:28 UTC
Donnie --

Reading the ISS release (referenced in the first comment) it specifically says, "A remote attacker could exploit this vulnerability to gain access to the system."  Is this accurate?  If so, I'd say it justifies a version bump for both xorg and xfree.
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-08 10:50:13 UTC
This will allow a remote attacker to connect to the port, but that attacker must still authenticate as a local user would. It essentially prevents one from disallowing XDMCP requests.

So, if a user happens to use xdm (many users don't use any *dm, and if they do, it's rarely the ugliest one of all -- xdm), they're unable to prevent remote authentication to xdm without blocking ports via some other scheme, e.g. iptables.

But if you think a bump is justified, I'll go ahead and do so. Your call.

From the xdm man page:
       To disable listening for XDMCP connections altogther, a line of  LISTEN
       with  no addresses may be specified, or the previously supported method
       of setting DisplayManager.requestPort to 0 may be used.

Summary:
From a technical standpoint, this isn't what I would call an exploit -- it isn't free access into the system, it requires knowledge of a valid login. It prevents one from stopping remote logins.
Comment 6 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-08 10:50:35 UTC
This will allow a remote attacker to connect to the port, but that attacker must still authenticate as a local user would. It essentially prevents one from disallowing XDMCP requests.

So, if a user happens to use xdm (many users don't use any *dm, and if they do, it's rarely the ugliest one of all -- xdm), they're unable to prevent remote authentication to xdm without blocking ports via some other scheme, e.g. iptables.

But if you think a bump is justified, I'll go ahead and do so. Your call.

From the xdm man page:
       To disable listening for XDMCP connections altogther, a line of  LISTEN
       with  no addresses may be specified, or the previously supported method
       of setting DisplayManager.requestPort to 0 may be used.

Summary:
From a technical standpoint, this isn't what I would call an exploit -- it isn't free access into the system, it requires knowledge of a valid login. It prevents one from stopping remote logins.
Comment 7 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-11 01:40:40 UTC
I've just added xorg-x11-6.7.0-r1.ebuild. It needs to get to this keyword status:
KEYWORDS="~x86 ppc sparc ~mips ~alpha arm ~hppa amd64 ~ia64"

That's what the previous 6.7.0 had.
Comment 8 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-11 02:27:48 UTC
xfree-4.3.0-r6 is now a security update from 4.3.0-r5. The former 4.3.0-r6 with lots of changes has become -r7.

4.3.0-r6 needs the following keywords:
KEYWORDS="x86 ppc sparc alpha mips hppa amd64 ia64"

Currently it is ~x86 only.

I'm heading out of town for the weekend -- if there's anything more you need from X people, please ask seemant. You'll have to CC him, as he's not on the xfree alias.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-06-11 03:52:51 UTC
xorg 6.7.0-r1:

ppc sparc arm amd64: please mark stable
mips alpha hppa ia64: plase mark ~


xfree 4.3.0-r6:

x86 ppc sparc mips alpha hppa amd64 ia64: please mark stable
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2004-06-11 04:49:23 UTC
xfree-4.3.0-r6 & xorg-x11-6.7.0-r1 are now keyworded ~sparc.  The keyword for xfree applies only
for the security update: because xfree is deprecated for sparc, which is following the xorg-x11 branch for X11.
Comment 11 Seemant Kulleen (RETIRED) gentoo-dev 2004-06-11 09:14:43 UTC
no need to cc me, I'm on the security alias.
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-12 10:20:21 UTC
Keyworded on alpha.
Comment 13 SpanKY gentoo-dev 2004-06-12 16:40:52 UTC
arm/hppa should be all set
Comment 14 Stephen Becker (RETIRED) gentoo-dev 2004-06-13 07:23:43 UTC
mips is all good now
Comment 15 Ferris McCormick (RETIRED) gentoo-dev 2004-06-14 08:30:55 UTC
xorg-x11-6.7.0-r1 is stable for sparc.  xfree on sparc is deprecated, but marked ~sparc.
Comment 16 Donnie Berkholz (RETIRED) gentoo-dev 2004-06-14 13:00:52 UTC
By the way, you might want to refrain from using my comments for the security advisory. I'm not absolutely sure that's right, and 90% just isn't good enough. Probably base it off the other advisories instead.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-06-16 09:05:54 UTC
Stable keywords still needed :

xorg 6.7.0-r1: ppc amd64 ~ia64
xfree 4.3.0-r6: x86 ppc hppa amd64 ia64
Comment 18 Jason Huebel (RETIRED) gentoo-dev 2004-06-16 13:03:59 UTC
xorg-x11 stable on amd64
Comment 19 Jason Huebel (RETIRED) gentoo-dev 2004-06-16 13:31:12 UTC
xfree-4.3.0-r6 marked stable on amd64
Comment 20 Luca Barbato gentoo-dev 2004-06-17 09:04:17 UTC
xorg-x11 marked ppc
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2004-06-22 06:22:38 UTC
xfree-4.3.0-r6 stable for hppa, sorry for the delay.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-06-22 08:57:12 UTC
Keywords still missing :

xfree 4.3.0-r6: x86 ppc ia64
xorg 6.7.0-r1: ~ia64

x86, ppc : please mark stable so that the GLSA can go out.
Comment 23 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-29 17:38:43 UTC
GLSA is drafted; we're just waiting for stabilization now.

x86, ppc: We're waiting on you.
Comment 24 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-29 18:14:43 UTC
If I don't CC myself on this I'll lose track of it in the rest of the security@ mail ...
Comment 25 Aron Griffis (RETIRED) gentoo-dev 2004-06-30 07:33:50 UTC
ok, I've marked xfree-r6 and xorg-r1 stable on ia64
Comment 26 Aron Griffis (RETIRED) gentoo-dev 2004-06-30 07:34:07 UTC
ok, I've marked xfree-r6 and xorg-r1 stable on alpha and ia64
Comment 27 Luca Barbato gentoo-dev 2004-07-01 08:04:11 UTC
xfree -r6 marked ppc
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2004-07-05 13:31:10 UTC
Marked stable on x86 by klieber two days ago. Ready for GLSA publication.
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2004-07-05 13:48:34 UTC
GLSA 200407-05