[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#252561: CAN-2004-0419: opens a chooserFd TCP socket even when DisplayManager.requestPort is 0

Package: xdm
Version: 4.3.0.dfsg.1-4
Severity: grave
Tags: security upstream patch woody sarge sid

[The distro tags are just to be on the safe side - I've only verified that
this applies to the sid source]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0419 :

CAN-2004-0419 (under review)

   This is a [9]candidate for inclusion in [10]the CVE list, which
   standardizes names for security problems. It must be reviewed and
   accepted by the [11]CVE Editorial Board before it can be added into
   CVE. Therefore, this candidate may be modified or even rejected in the

   Name CAN-2004-0419 (under review)
   Description XDM in XFree86 opens a chooserFd TCP socket even when
   DisplayManager.requestPort is 0, which could allow remote attackers to
   connect to the port, in violation of the intended restrictions.
     * CONFIRM:http://bugs.xfree86.org/show_bug.cgi?id=1376
     * CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12490
     * OPENBSD:20040526 008: SECURITY FIX: May 26, 2004
     * URL:http://www.openbsd.org/errata.html#xdm

   Phase Assigned (20040416)

   Note: [13]References are provided for the convenience of the reader to
   help distinguish between vulnerabilities. The list of references is
   not intended to be complete.

   Candidate assigned on 20040416 and proposed on N/A

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-pre4
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
Obsig: developing a new sig

Reply to: