Debian Bug report logs -
#621423
/usr/bin/xrdb: xdmcp rogue hostname security
Reported by: Paul Szabo <paul.szabo@sydney.edu.au>
Date: Thu, 7 Apr 2011 01:39:01 UTC
Severity: critical
Tags: security
Found in version x11-xserver-utils/7.3+5
Fixed in versions x11-xserver-utils/7.5+3, x11-xserver-utils/7.3+6, x11-xserver-utils/7.6+2
Done: Cyril Brulebois <kibi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#621423
; Package x11-xserver-utils
.
(Thu, 07 Apr 2011 01:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Szabo <paul.szabo@sydney.edu.au>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
.
(Thu, 07 Apr 2011 01:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: x11-xserver-utils
Version: 7.3+5
Severity: critical
File: /usr/bin/xrdb
Tags: security
Justification: root security hole
About the security bug in xrdb :
http://security-tracker.debian.org/tracker/CVE-2011-0465
http://www.ubuntu.com/usn/usn-1107-1
https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315
http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html
http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
http://www.securityfocus.com/bid/47189
As I understand, the result of a breach would be root access on the
server. Debian seems to have flagged this as low priority because xdmcp
is not enabled in default setup; though the issue is exploitable via
dhcp also.
In my environment we use xdmcp for users to log in to our servers.
Could I please have ideas about workaround protection?
I know that gdm uses /etc/hosts.allow and there I added the lines:
ALL : UNKNOWN : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be DNS failure - Please try again later'
ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May be DNS failure - Please try again later'
gdm : all : allow
However I notice that gdm uses IP address only, not hostname when
evaluating hosts.allow lines, so I wonder about the effectiveness
of this protection.
How would I test whether my setup is vulnerable?
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 5.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages x11-xserver-utils depends on:
ii cpp 4:4.3.2-2 The GNU C preprocessor (cpp)
ii libc6 2.7-18lenny7 GNU C Library: Shared libraries
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxau6 1:1.0.3-3 X11 authorisation library
ii libxaw7 2:1.0.4-2 X11 Athena Widget library
ii libxext6 2:1.0.4-2 X11 miscellaneous extension librar
ii libxi6 2:1.1.4-1 X11 Input extension library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxmuu1 2:1.0.4-1 X11 miscellaneous micro-utility li
ii libxrandr2 2:1.2.3-1 X11 RandR extension library
ii libxrender1 1:0.9.4-2 X Rendering Extension client libra
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
ii libxtrap6 2:1.0.0-5 X11 event trapping extension libra
ii libxxf86misc1 1:1.0.1-3 X11 XFree86 miscellaneous extensio
ii libxxf86vm1 1:1.0.2-1 X11 XFree86 video mode extension l
ii x11-common 1:7.3+20 X Window System (X.Org) infrastruc
x11-xserver-utils recommends no packages.
x11-xserver-utils suggests no packages.
-- no debconf information
Reply sent
to Cyril Brulebois <kibi@debian.org>
:
You have taken responsibility.
(Thu, 07 Apr 2011 02:00:06 GMT) (full text, mbox, link).
Notification sent
to Paul Szabo <paul.szabo@sydney.edu.au>
:
Bug acknowledged by developer.
(Thu, 07 Apr 2011 02:00:07 GMT) (full text, mbox, link).
Message #10 received at 621423-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Paul,
Paul Szabo <paul.szabo@sydney.edu.au> (07/04/2011):
> Package: x11-xserver-utils
> Version: 7.3+5
> Severity: critical
> File: /usr/bin/xrdb
> Tags: security
> Justification: root security hole
http://lists.debian.org/debian-x/2011/04/msg00196.html
http://lists.debian.org/debian-x/2011/04/msg00197.html
http://lists.debian.org/debian-x/2011/04/msg00198.html
so I'd just advise upgrading packages as soon as they are released (a
DSA is pending).
(And closing the bug since we have fixed versions in the pipes.)
KiBi.
[signature.asc (application/pgp-signature, inline)]
Bug Marked as fixed in versions x11-xserver-utils/7.6+2.
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org
.
(Thu, 07 Apr 2011 06:00:07 GMT) (full text, mbox, link).
Bug Marked as fixed in versions x11-xserver-utils/7.3+6.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Sun, 10 Apr 2011 01:15:26 GMT) (full text, mbox, link).
Bug Marked as fixed in versions x11-xserver-utils/7.5+3.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Sun, 10 Apr 2011 01:15:27 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 02 Jul 2011 07:34:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:04:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.