Re: XDM chooserFd vulnerability

To: debian-x@lists.debian.org, team@security.debian.org
Subject: Re: XDM chooserFd vulnerability
From: Branden Robinson <branden@debian.org>
Date: Wed, 2 Jun 2004 05:04:47 -0500
Message-id: <[🔎] 20040602100447.GS21055@deadbeast.net>
Mail-followup-to: debian-x@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 20040601215328.GL19402@alcor.net>
References: <[🔎] 20040601215328.GL19402@alcor.net>

On Tue, Jun 01, 2004 at 02:53:28PM -0700, Matt Zimmerman wrote:
> According to the information I have seen, this bug probably does not affect
> woody, but I would appreciate confirmation, and to bring it to your
> attention for unstable:
> 
> http://bugs.xfree86.org/show_bug.cgi?id=1376
> http://www.openbsd.org/errata.html#xdm
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0419

Woody's XFree86 does not contain the offending missing code; its
CreateWellKnownSockets() function exits if request_port is zero:

  [0] branden@redwald:~/packages/xfree86/4.1.0/xfree86-4.1.0 % head -n 1 debian/changelog
  xfree86 (4.1.0-16woody3) stable-security; urgency=high
  [0] branden@redwald:~/packages/xfree86/4.1.0/xfree86-4.1.0 % grep -5 request_port build-tree/xc/programs/xdm/socket.c
  CreateWellKnownSockets (void)
  {
      struct sockaddr_in  sock_addr;
      char *name;

      if (request_port == 0)
              return;
      Debug ("creating socket %d\n", request_port);
      xdmcpFd = socket (AF_INET, SOCK_DGRAM, 0);
      if (xdmcpFd == -1) {
          LogError ("XDMCP socket creation failed, errno %d\n", errno);
          return;
      }
  --
      bzero ((char *) &sock_addr, sizeof (sock_addr));
  #ifdef BSD44SOCKETS
      sock_addr.sin_len = sizeof(sock_addr);
  #endif
      sock_addr.sin_family = AF_INET;
      sock_addr.sin_port = htons ((short) request_port);
      sock_addr.sin_addr.s_addr = htonl (INADDR_ANY);
      if (bind (xdmcpFd, (struct sockaddr *)&sock_addr, sizeof (sock_addr)) == -1)
      {
          LogError ("error %d binding socket address %d\n", errno, request_port);
          close (xdmcpFd);
          xdmcpFd = -1;
          return;
      }
      WellKnownSocketsMax = xdmcpFd;

Some versions of XFree86 released to experimental, sid, and sarge were
vulnerable previously, but not at present:

xfree86 (4.3.0.dfsg.1-1) unstable; urgency=low
[...]
  * Restore original xdm behavior of interpreting an XDMCP request port of
    zero (the default) as an instruction not to open a port at all.
    Equivalent code was apparently accidentally deleted in upstream CVS
    (thanks, Jeff King).  (Closes: #239341)
[...]
 -- Fabio M. Di Nitto <fabbione@fabbione.net>  Wed, 28 Apr 2004 18:55:17 +0200

Thanks for bringing this issue to my attention.  I do not think
current Debian distribution, released or pending, is vulnerable to this
flaw.

Please let me know if there is anything more I can do.

-- 
G. Branden Robinson                |       The last Christian died on the
Debian GNU/Linux                   |       cross.
branden@debian.org                 |       -- Friedrich Nietzsche
http://people.debian.org/~branden/ |

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- XDM chooserFd vulnerability
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Processed: retitle 249022 to xserver-xfree86: monitor sync rates misdetected on Dell Latitude 800
Next by Date: Bug#111264: More testing required?
Previous by thread: XDM chooserFd vulnerability
Next by thread: Bug#250629: xlibs: My AltGr stopped working too (xfree86/pc105/be)
Index(es):
- Date
- Thread