On Sun, Mar 09, 2008 at 08:00:59AM -0700, [EMAIL PROTECTED] wrote: > On Sun, Mar 09, 2008 at 02:52:01PM +0100, Moritz Muehlenhoff wrote:
> > Vagrant, since the ldm source package is not present in Etch, does > > this not affect stable at all or has the code been moved between > > packages? > > the ldm package in etch is part of the ltsp source, and while i haven't > verified it for sure, i believe it also is affected by the bug. yes, i can confirm that the version of ldm (0.99debian11) in etch is vulnerable. > the ldm version in etch is implemented in python rather than C, so it > will require a totally different patch. applied this patch to the ltsp sources in etch, downloaded from: http://ftp.de.debian.org/debian/pool/main/l/ltsp/ltsp_0.99debian11.dsc --- client/ldm.orig 2008-03-09 22:15:23.000000000 -0400 +++ client/ldm 2008-03-09 22:15:34.000000000 -0400 @@ -63,7 +63,7 @@ os.dup2(logfile.fileno(), sys.stderr.fileno()) while True: - server_opts = ['-br', '-ac', '-noreset'] + server_opts = ['-br', '-noreset'] if self.use_xfs: server_opts += ['-fp', self.fontpath] i've tested that it prevents people from reading/writing to the X display, and that ldm still can log in to the server. note that, when making the security advisory, it may be good to mention that mention that most ldm installs are likely to be in a chroot environment (the chroot is exported over NFS), and will not be upgraded merely by upgrading the server itself. for example, on i386, to upgrade ldm will likely require: chroot /opt/ltsp/i386 apt-get update chroot /opt/ltsp/i386 apt-get dist-upgrade if there is any additional assistance needed, please feel free to contact [EMAIL PROTECTED] or make further comments on the bug report, which will be forwarded to the list. thanks! live well, vagrant -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
