Re: XDM chooserFd vulnerability

Wed, 02 Jun 2004 05:04:52 -0500 

On Tue, Jun 01, 2004 at 02:53:28PM -0700, Matt Zimmerman wrote:
> According to the information I have seen, this bug probably does not affect
> woody, but I would appreciate confirmation, and to bring it to your
> attention for unstable:
> 
> http://bugs.xfree86.org/show_bug.cgi?id=1376
> http://www.openbsd.org/errata.html#xdm
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0419

Woody's XFree86 does not contain the offending missing code; its
CreateWellKnownSockets() function exits if request_port is zero:

  [0] [EMAIL PROTECTED]:~/packages/xfree86/4.1.0/xfree86-4.1.0 % head -n 1 
debian/changelog
  xfree86 (4.1.0-16woody3) stable-security; urgency=high
  [0] [EMAIL PROTECTED]:~/packages/xfree86/4.1.0/xfree86-4.1.0 % grep -5 
request_port build-tree/xc/programs/xdm/socket.c
  CreateWellKnownSockets (void)
  {
      struct sockaddr_in  sock_addr;
      char *name;

      if (request_port == 0)
              return;
      Debug ("creating socket %d\n", request_port);
      xdmcpFd = socket (AF_INET, SOCK_DGRAM, 0);
      if (xdmcpFd == -1) {
          LogError ("XDMCP socket creation failed, errno %d\n", errno);
          return;
      }
  --
      bzero ((char *) &sock_addr, sizeof (sock_addr));
  #ifdef BSD44SOCKETS
      sock_addr.sin_len = sizeof(sock_addr);
  #endif
      sock_addr.sin_family = AF_INET;
      sock_addr.sin_port = htons ((short) request_port);
      sock_addr.sin_addr.s_addr = htonl (INADDR_ANY);
      if (bind (xdmcpFd, (struct sockaddr *)&sock_addr, sizeof (sock_addr)) == 
-1)
      {
          LogError ("error %d binding socket address %d\n", errno, 
request_port);
          close (xdmcpFd);
          xdmcpFd = -1;
          return;
      }
      WellKnownSocketsMax = xdmcpFd;

Some versions of XFree86 released to experimental, sid, and sarge were
vulnerable previously, but not at present:

xfree86 (4.3.0.dfsg.1-1) unstable; urgency=low
[...]
  * Restore original xdm behavior of interpreting an XDMCP request port of
    zero (the default) as an instruction not to open a port at all.
    Equivalent code was apparently accidentally deleted in upstream CVS
    (thanks, Jeff King).  (Closes: #239341)
[...]
 -- Fabio M. Di Nitto <[EMAIL PROTECTED]>  Wed, 28 Apr 2004 18:55:17 +0200

Thanks for bringing this issue to my attention.  I do not think
current Debian distribution, released or pending, is vulnerable to this
flaw.

Please let me know if there is anything more I can do.

-- 
G. Branden Robinson                |       The last Christian died on the
Debian GNU/Linux                   |       cross.
[EMAIL PROTECTED]                 |       -- Friedrich Nietzsche
http://people.debian.org/~branden/ |

Attachment: signature.asc
Description: Digital signature

Reply via email to