Your message dated Thu, 7 Apr 2011 03:56:32 +0200 with message-id <20110407015632.GA2813@debian.org> and subject line Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security has caused the Debian Bug report #621423, regarding /usr/bin/xrdb: xdmcp rogue hostname security to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 621423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621423 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /usr/bin/xrdb: xdmcp rogue hostname security
- From: Paul Szabo <paul.szabo@sydney.edu.au>
- Date: Thu, 07 Apr 2011 11:32:23 +1000
- Message-id: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>
Package: x11-xserver-utils Version: 7.3+5 Severity: critical File: /usr/bin/xrdb Tags: security Justification: root security hole About the security bug in xrdb : http://security-tracker.debian.org/tracker/CVE-2011-0465 http://www.ubuntu.com/usn/usn-1107-1 https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315 http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56 http://www.securityfocus.com/bid/47189 As I understand, the result of a breach would be root access on the server. Debian seems to have flagged this as low priority because xdmcp is not enabled in default setup; though the issue is exploitable via dhcp also. In my environment we use xdmcp for users to log in to our servers. Could I please have ideas about workaround protection? I know that gdm uses /etc/hosts.allow and there I added the lines: ALL : UNKNOWN : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be DNS failure - Please try again later' ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May be DNS failure - Please try again later' gdm : all : allow However I notice that gdm uses IP address only, not hostname when evaluating hosts.allow lines, so I wonder about the effectiveness of this protection. How would I test whether my setup is vulnerable? Thanks, Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages x11-xserver-utils depends on: ii cpp 4:4.3.2-2 The GNU C preprocessor (cpp) ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii libsm6 2:1.0.3-2 X11 Session Management library ii libx11-6 2:1.1.5-2 X11 client-side library ii libxau6 1:1.0.3-3 X11 authorisation library ii libxaw7 2:1.0.4-2 X11 Athena Widget library ii libxext6 2:1.0.4-2 X11 miscellaneous extension librar ii libxi6 2:1.1.4-1 X11 Input extension library ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library ii libxmuu1 2:1.0.4-1 X11 miscellaneous micro-utility li ii libxrandr2 2:1.2.3-1 X11 RandR extension library ii libxrender1 1:0.9.4-2 X Rendering Extension client libra ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library ii libxtrap6 2:1.0.0-5 X11 event trapping extension libra ii libxxf86misc1 1:1.0.1-3 X11 XFree86 miscellaneous extensio ii libxxf86vm1 1:1.0.2-1 X11 XFree86 video mode extension l ii x11-common 1:7.3+20 X Window System (X.Org) infrastruc x11-xserver-utils recommends no packages. x11-xserver-utils suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---
- To: Paul Szabo <paul.szabo@sydney.edu.au>, 621423-done@bugs.debian.org
- Subject: Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
- From: Cyril Brulebois <kibi@debian.org>
- Date: Thu, 7 Apr 2011 03:56:32 +0200
- Message-id: <20110407015632.GA2813@debian.org>
- In-reply-to: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>
- References: <[🔎] 20110407013223.32284.27450.reportbug@bari.maths.usyd.edu.au>
Hi Paul, Paul Szabo <paul.szabo@sydney.edu.au> (07/04/2011): > Package: x11-xserver-utils > Version: 7.3+5 > Severity: critical > File: /usr/bin/xrdb > Tags: security > Justification: root security hole http://lists.debian.org/debian-x/2011/04/msg00196.html http://lists.debian.org/debian-x/2011/04/msg00197.html http://lists.debian.org/debian-x/2011/04/msg00198.html so I'd just advise upgrading packages as soon as they are released (a DSA is pending). (And closing the bug since we have fixed versions in the pipes.) KiBi.Attachment: signature.asc
Description: Digital signature
--- End Message ---