Bug#621423: marked as done (/usr/bin/xrdb: xdmcp rogue hostname security)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 7 Apr 2011 03:56:32 +0200
with message-id <20110407015632.GA2813@debian.org>
and subject line Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
has caused the Debian Bug report #621423,
regarding /usr/bin/xrdb: xdmcp rogue hostname security
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
621423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621423
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: /usr/bin/xrdb: xdmcp rogue hostname security
• From: Paul Szabo <paul.szabo@sydney.edu.au>
• Date: Thu, 07 Apr 2011 11:32:23 +1000
• Message-id: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>

Package: x11-xserver-utils
Version: 7.3+5
Severity: critical
File: /usr/bin/xrdb
Tags: security
Justification: root security hole


About the security bug in xrdb :
  http://security-tracker.debian.org/tracker/CVE-2011-0465
  http://www.ubuntu.com/usn/usn-1107-1
  https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315
  http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html
  http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
  http://www.securityfocus.com/bid/47189
As I understand, the result of a breach would be root access on the
server. Debian seems to have flagged this as low priority because xdmcp
is not enabled in default setup; though the issue is exploitable via
dhcp also.

In my environment we use xdmcp for users to log in to our servers.
Could I please have ideas about workaround protection?

I know that gdm uses /etc/hosts.allow and there I added the lines:

ALL : UNKNOWN  : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be DNS failure - Please try again later'
ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May be DNS failure - Please try again later'
gdm : all : allow

However I notice that gdm uses IP address only, not hostname when
evaluating hosts.allow lines, so I wonder about the effectiveness
of this protection.

How would I test whether my setup is vulnerable?

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 5.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages x11-xserver-utils depends on:
ii  cpp                         4:4.3.2-2    The GNU C preprocessor (cpp)
ii  libc6                       2.7-18lenny7 GNU C Library: Shared libraries
ii  libice6                     2:1.0.4-1    X11 Inter-Client Exchange library
ii  libsm6                      2:1.0.3-2    X11 Session Management library
ii  libx11-6                    2:1.1.5-2    X11 client-side library
ii  libxau6                     1:1.0.3-3    X11 authorisation library
ii  libxaw7                     2:1.0.4-2    X11 Athena Widget library
ii  libxext6                    2:1.0.4-2    X11 miscellaneous extension librar
ii  libxi6                      2:1.1.4-1    X11 Input extension library
ii  libxmu6                     2:1.0.4-1    X11 miscellaneous utility library
ii  libxmuu1                    2:1.0.4-1    X11 miscellaneous micro-utility li
ii  libxrandr2                  2:1.2.3-1    X11 RandR extension library
ii  libxrender1                 1:0.9.4-2    X Rendering Extension client libra
ii  libxt6                      1:1.0.5-3    X11 toolkit intrinsics library
ii  libxtrap6                   2:1.0.0-5    X11 event trapping extension libra
ii  libxxf86misc1               1:1.0.1-3    X11 XFree86 miscellaneous extensio
ii  libxxf86vm1                 1:1.0.2-1    X11 XFree86 video mode extension l
ii  x11-common                  1:7.3+20     X Window System (X.Org) infrastruc

x11-xserver-utils recommends no packages.

x11-xserver-utils suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Paul Szabo <paul.szabo@sydney.edu.au>, 621423-done@bugs.debian.org
• Subject: Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
• From: Cyril Brulebois <kibi@debian.org>
• Date: Thu, 7 Apr 2011 03:56:32 +0200
• Message-id: <20110407015632.GA2813@debian.org>
• In-reply-to: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>
• References: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>

Hi Paul,

Paul Szabo <paul.szabo@sydney.edu.au> (07/04/2011):
> Package: x11-xserver-utils
> Version: 7.3+5
> Severity: critical
> File: /usr/bin/xrdb
> Tags: security
> Justification: root security hole

http://lists.debian.org/debian-x/2011/04/msg00196.html
http://lists.debian.org/debian-x/2011/04/msg00197.html
http://lists.debian.org/debian-x/2011/04/msg00198.html

so I'd just advise upgrading packages as soon as they are released (a
DSA is pending).

(And closing the bug since we have fixed versions in the pipes.)

KiBi.

Attachment: signature.asc
Description: Digital signature

--- End Message ---