Your message dated Tue, 14 Aug 2007 14:32:25 +0000 with message-id <E1IKxRZ-0005MC-4H@ries.debian.org> and subject line Bug#256299: fixed in xdm 1:1.1.5-1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: xdm: daemon can hang due to race condition in policy.c:Willing() when trying to run Xwilling sript
- From: Branden Robinson <branden@debian.org>
- Date: Mon, 27 Sep 2004 21:32:58 -0500
- Message-id: <20040928023258.GH6686@redwald.deadbeast.net>
Package: xdm Version: 4.3.0.dfsg.1-7 Severity: normal Note to self: set submitter to Chip Coldwell <coldwell@physics.harvard.edu> once an ack is recived for this bug. I don't think there are any security implications to this bug, since unprivileged users cannot kill the (root-owned) Xwilling process (which is a script that lives in /etc/X11 on Debian, and is not writable by users). Since the only people who could use this vector to DoS xdm have root privileges anyway, this bug merits severity "normal". For a more direct method of DoSsing xdm as root, try: kill -STOP $(pidof xdm) :-/ ----- Forwarded message from Chip Coldwell <coldwell@physics.harvard.edu> ----- From: Chip Coldwell <coldwell@physics.harvard.edu> To: Branden Robinson <branden@debian.org> Cc: Debian X Strike Force <debian-x@lists.debian.org> Subject: xdm race condition Date: Thu, 24 Jun 2004 13:58:06 -0400 (EDT) Message-ID: <Pine.LNX.4.58.0406240946480.19170-200000@physics.harvard.edu> X-Mailing-List: <debian-x@lists.debian.org> archive/latest/19682 X-Spam-Status: No, hits=-5.0 required=4.0 tests=LDOSUBSCRIBER autolearn=no version=2.63-lists.debian.org_2004_06_20_05 I found another xdm bug. This time it's a race condition in xc/programs/xdm/policy.c:Willing around line numbers 140--145, which reads if ((fd = popen(willing, "r"))) { char *s = NULL; while(!(s = fgets(statusBuf, 256, fd)) && errno == EINTR) ; Here's the problem. The "popen" call creates a child process and a pipe to communicate with it. If the child process exits during the "fgets" call without generating any output, the parent process receives SIGCHLD and the read system call gets interrupted. Therefore errno == EINTR, and since the child has exited the pipe never returns any data. xdm goes into an infinite loop. I think the problem is that fgets doesn't reset errno to zero; we have to do that manually. The fix is the trivial patch attached to this email. (The child process is the "Xwilling" script; in the case of the default Debian configuration it is "su nobody -c /usr/X11R6/lib/X11/xdm/Xwilling") Chip -- Charles M. "Chip" Coldwell System Administrator Harvard Physics Department 617-495-3388 Content-Description: xdm race condition fix --- xc/programs/xdm/policy.c~ 2002-12-07 15:31:04.000000000 -0500 +++ xc/programs/xdm/policy.c 2004-06-24 09:56:19.000000000 -0400 @@ -140,8 +140,9 @@ if ((fd = popen(willing, "r"))) { char *s = NULL; + errno = 0; while(!(s = fgets(statusBuf, 256, fd)) && errno == EINTR) - ; + errno = 0; if (s && strlen(statusBuf) > 0) statusBuf[strlen(statusBuf)-1] = 0; /* chop newline */ else ----- End forwarded message ----- -- G. Branden Robinson | Life is what happens to you while Debian GNU/Linux | you're busy making other plans. branden@debian.org | -- John Lennon http://people.debian.org/~branden/ |Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 256299-close@bugs.debian.org
- Subject: Bug#256299: fixed in xdm 1:1.1.5-1
- From: Julien Cristau <jcristau@debian.org>
- Date: Tue, 14 Aug 2007 14:32:25 +0000
- Message-id: <E1IKxRZ-0005MC-4H@ries.debian.org>
Source: xdm Source-Version: 1:1.1.5-1 We believe that the bug you reported is fixed in the latest version of xdm, which is due to be installed in the Debian FTP archive: xdm_1.1.5-1.diff.gz to pool/main/x/xdm/xdm_1.1.5-1.diff.gz xdm_1.1.5-1.dsc to pool/main/x/xdm/xdm_1.1.5-1.dsc xdm_1.1.5-1_i386.deb to pool/main/x/xdm/xdm_1.1.5-1_i386.deb xdm_1.1.5.orig.tar.gz to pool/main/x/xdm/xdm_1.1.5.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 256299@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau <jcristau@debian.org> (supplier of updated xdm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 14 Aug 2007 15:58:19 +0200 Source: xdm Binary: xdm Architecture: source i386 Version: 1:1.1.5-1 Distribution: unstable Urgency: low Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Changed-By: Julien Cristau <jcristau@debian.org> Description: xdm - X display manager Closes: 256299 382418 419143 427233 Changes: xdm (1:1.1.5-1) unstable; urgency=low . * Use /usr/bin/xdm instead of /usr/bin/X11/xdm in the init script and in the debconf templates. On upgrades, if /etc/X11/default-display-manager contains /usr/bin/X11/xdm, change it to /usr/bin/xdm (closes: #382418). * New upstream release + fixes race condition in policy.c:Willing() (closes: #256299). + xdm_fixes.diff, debian.diff: drop our changes to config/Xresources.cpp. They don't apply on top of 1.1.5. * Build against libXft (closes: #427233). * Use lsb functions for init script output (closes: #419143). Files: fe5c90721fadd25b7ed074437b3ed56f 899 x11 optional xdm_1.1.5-1.dsc 37269e484666296045009cb9f1e673fd 514142 x11 optional xdm_1.1.5.orig.tar.gz 1d1d565c4f1d5bcc08ccb5471f7aedcd 249114 x11 optional xdm_1.1.5-1.diff.gz 7cda32d8cbea6009b4bd9e09d7f0bf39 187500 x11 optional xdm_1.1.5-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGwbjBmEvTgKxfcAwRAoy1AJ41sj2OdWd25IIhaJjJ3a5TN5RfigCfZ8PH xjaZILrUyTNTfz6N9cYy+LY= =KwA9 -----END PGP SIGNATURE-----
--- End Message ---