Summary and Impact
To further explore the auth mechanism libXdmcp-1.1.2 was checked as well.
XDM uses weak entropy to generate the session keys on non BSD systems:
> void XdmcpGenerateKey (XdmAuthKeyPtr key)
> #ifndef HAVE_ARC4RANDOM_BUF
> long lowbits, highbits;
> srandom ((int)getpid() ^ time((Time_t *)0));
> lowbits = random ();
> highbits = random ();
> getbits (lowbits, key->data);
> getbits (highbits, key->data + 4);
> arc4random_buf(key->data, 8);
On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user. Several checked Linux distributions (debian, archlinux and Ubuntu) did not link against libbsd at the time this was found.
Compile against libbsd.
We will have to check, most Gentoo architectures shouldn't be affected due to
> elibc_glibc? ( dev-libs/libbsd )
Yes, libXdmcp-1.1.2-r1 contains the dependency on libbsd, and it is stable everywhere (except arm64).
Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...
arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1
Vulnerable versions dropped:
Author: Matt Turner <email@example.com>
Date: Thu Mar 16 09:12:30 2017 -0700
x11-libs/libXdmcp: Drop vulnerable versions.
(In reply to Matt Turner from comment #3)
> Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...
> arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1
arm64 stable, last arch done.
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03
by GLSA coordinator Kristian Fiskerstrand (K_F).