Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611352 (CVE-2017-2625) - <x11-libs/libXdmcp-1.1.2-r1: weak entropy usage for session keys
Summary: <x11-libs/libXdmcp-1.1.2-r1: weak entropy usage for session keys
Status: RESOLVED FIXED
Alias: CVE-2017-2625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.x41-dsec.de/lab/advisorie...
Whiteboard: ~1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-02 00:06 UTC by Thomas Deutschmann
Modified: 2017-04-10 21:36 UTC (History)
1 user (show)

See Also:
Package list:
x11-libs/libXdmcp-1.1.2-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-02 00:06:00 UTC
Summary and Impact
==================
To further explore the auth mechanism libXdmcp-1.1.2 was checked as well.

XDM uses weak entropy to generate the session keys on non BSD systems:

> void XdmcpGenerateKey (XdmAuthKeyPtr key)
> {
>   #ifndef HAVE_ARC4RANDOM_BUF
>    long    lowbits, highbits;
>    srandom ((int)getpid() ^ time((Time_t *)0));
>    lowbits = random ();
>    highbits = random ();
>    getbits (lowbits, key->data);
>    getbits (highbits, key->data + 4);
>   #else
>     arc4random_buf(key->data, 8);
>   #endif
> }

On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user. Several checked Linux distributions (debian, archlinux and Ubuntu) did not link against libbsd at the time this was found.


Workaround
==========
Compile against libbsd.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-03-02 00:10:27 UTC
We will have to check, most Gentoo architectures shouldn't be affected due to

> elibc_glibc? ( dev-libs/libbsd )
Comment 2 Matt Turner gentoo-dev 2017-03-02 03:28:00 UTC
Yes, libXdmcp-1.1.2-r1 contains the dependency on libbsd, and it is stable everywhere (except arm64).
Comment 3 Matt Turner gentoo-dev 2017-03-04 16:12:17 UTC
Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...

arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1
Comment 4 Matt Turner gentoo-dev 2017-03-16 16:13:27 UTC
Vulnerable versions dropped:

commit 5d04eb33c23b663f017c70b3e9b6e266784d55c8
Author: Matt Turner <mattst88@gentoo.org>
Date:   Thu Mar 16 09:12:30 2017 -0700

    x11-libs/libXdmcp: Drop vulnerable versions.
    
    Bug: https://bugs.gentoo.org/611352
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-03-16 18:05:29 UTC
(In reply to Matt Turner from comment #3)
> Do we need to Cc arm64 to stabilize libXdmcp? Seems like it won't hurt...
> 
> arm64@: please stabilize x11-libs/libXdmcp-1.1.2-r1

arm64 stable, last arch done.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-03-18 13:15:30 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:36:01 UTC
This issue was resolved and addressed in
 GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03
by GLSA coordinator Kristian Fiskerstrand (K_F).