Summary and Impact ================== To further explore the auth mechanism libXdmcp-1.1.2 was checked as well. XDM uses weak entropy to generate the session keys on non BSD systems: > void XdmcpGenerateKey (XdmAuthKeyPtr key) > { > #ifndef HAVE_ARC4RANDOM_BUF > long lowbits, highbits; > srandom ((int)getpid() ^ time((Time_t *)0)); > lowbits = random (); > highbits = random (); > getbits (lowbits, key->data); > getbits (highbits, key->data + 4); > #else > arc4random_buf(key->data, 8); > #endif > } On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user. Several checked Linux distributions (debian, archlinux and Ubuntu) did not link against libbsd at the time this was found. Workaround ========== Compile against libbsd.
We will have to check, most Gentoo architectures shouldn't be affected due to > elibc_glibc? ( dev-libs/libbsd )
Yes, libXdmcp-1.1.2-r1 contains the dependency on libbsd, and it is stable everywhere (except arm64).
Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt... arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1
Vulnerable versions dropped: commit 5d04eb33c23b663f017c70b3e9b6e266784d55c8 Author: Matt Turner <mattst88@gentoo.org> Date: Thu Mar 16 09:12:30 2017 -0700 x11-libs/libXdmcp: Drop vulnerable versions. Bug: https://bugs.gentoo.org/611352
(In reply to Matt Turner from comment #3) > Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt... > > arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1 arm64 stable, last arch done.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03 by GLSA coordinator Kristian Fiskerstrand (K_F).