Your message dated Thu, 7 Apr 2011 03:56:32 +0200
with message-id <20110407015632.ga2...@debian.org>
and subject line Re: Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
has caused the Debian Bug report #621423,
regarding /usr/bin/xrdb: xdmcp rogue hostname security
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
621423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: x11-xserver-utils
Version: 7.3+5
Severity: critical
File: /usr/bin/xrdb
Tags: security
Justification: root security hole
About the security bug in xrdb :
http://security-tracker.debian.org/tracker/CVE-2011-0465
http://www.ubuntu.com/usn/usn-1107-1
https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315
http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html
http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
http://www.securityfocus.com/bid/47189
As I understand, the result of a breach would be root access on the
server. Debian seems to have flagged this as low priority because xdmcp
is not enabled in default setup; though the issue is exploitable via
dhcp also.
In my environment we use xdmcp for users to log in to our servers.
Could I please have ideas about workaround protection?
I know that gdm uses /etc/hosts.allow and there I added the lines:
ALL : UNKNOWN : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be
DNS failure - Please try again later'
ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May
be DNS failure - Please try again later'
gdm : all : allow
However I notice that gdm uses IP address only, not hostname when
evaluating hosts.allow lines, so I wonder about the effectiveness
of this protection.
How would I test whether my setup is vulnerable?
Thanks,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 5.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages x11-xserver-utils depends on:
ii cpp 4:4.3.2-2 The GNU C preprocessor (cpp)
ii libc6 2.7-18lenny7 GNU C Library: Shared libraries
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxau6 1:1.0.3-3 X11 authorisation library
ii libxaw7 2:1.0.4-2 X11 Athena Widget library
ii libxext6 2:1.0.4-2 X11 miscellaneous extension librar
ii libxi6 2:1.1.4-1 X11 Input extension library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxmuu1 2:1.0.4-1 X11 miscellaneous micro-utility li
ii libxrandr2 2:1.2.3-1 X11 RandR extension library
ii libxrender1 1:0.9.4-2 X Rendering Extension client libra
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
ii libxtrap6 2:1.0.0-5 X11 event trapping extension libra
ii libxxf86misc1 1:1.0.1-3 X11 XFree86 miscellaneous extensio
ii libxxf86vm1 1:1.0.2-1 X11 XFree86 video mode extension l
ii x11-common 1:7.3+20 X Window System (X.Org) infrastruc
x11-xserver-utils recommends no packages.
x11-xserver-utils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Paul,
Paul Szabo <paul.sz...@sydney.edu.au> (07/04/2011):
> Package: x11-xserver-utils
> Version: 7.3+5
> Severity: critical
> File: /usr/bin/xrdb
> Tags: security
> Justification: root security hole
http://lists.debian.org/debian-x/2011/04/msg00196.html
http://lists.debian.org/debian-x/2011/04/msg00197.html
http://lists.debian.org/debian-x/2011/04/msg00198.html
so I'd just advise upgrading packages as soon as they are released (a
DSA is pending).
(And closing the bug since we have fixed versions in the pipes.)
KiBi.
signature.asc
Description: Digital signature
--- End Message ---
