ANNOUNCE: (SECURITY) GDM (stable) and GDM (unstable), the "I 0wn3rz y0ur f1lez" release


(If you have no clue what gdm is, skip a few paragraphs down first)

It is time again, yes you guessed it, for a security announcement.  After
some auditing of code I found 3 issues with it, one of them being fairly
serious.  Here are the descriptions and CVE numbers

CAN-2003-0547 which allows any user to read any root readable text file on
the system by making a symlink from ~/.xsession-errors.  This affects all
GNOME2 versions.

CAN-2003-0548, a crash when chosen host expires.  DoS only for XDMCP (XDMCP
should however be confined to a 'trusted' network anyway).  This affects
all versions from 2.0beta2 forward really.

CAN-2003-0549, a crash if authorization key name is shorter then 18 bytes
(that is, not MIT-MAGIC-COOKIE-1) DoS only for XDMCP (XDMCP should however be
confined to a 'trusted' network anyway).  This affects all versions that
had XDMCP.  Some distributors shipped a patch at some point which managed
to fix this though.

Mostly people would be affected by the first one as XDMCP should be off
by default and if it is on, you should really confine it to a 'trusted'
network as you can always pretty much DoS an XDMCP server because of the
way XDMCP works.

On the slightly silly news front, the cookie generation in the devel version
is now utterly overengineered.  The plus side of that is that you should
really get really REALLY random cookies even on systems with no /dev/random
and friends and no /proc.  Also it now doesn't waste all your kernel entropy
just for generating a 16 byte cookie.

In addition to auditing code for security problems, and making sure that
all random bits are really random, I've also done some optimizations,
mainly in the graphical greeter.  This cuts down on the memory usage by
quite a bit, saving about 6megs for me on the circles theme, plus 
some optimization of CPU usage and disk access.  Some utterly useless
soptimization was also done making the code a few nanoseconds faster.
The manual has also been updated, including some XDM bashing (as if you
didn't already know that it so obviously sucks:)

No new longjmp usage, however the following statistic should be of similar

 devgnome pipina:/gnome/head/cvs/gdm2% grep goto **/*.c | wc -l
 devgnome pipina:/gnome/head/cvs/gdm2%

And now for the standard part of the release announcement:

GDM is the GNOME Display Manager, it is the little proggie that runs in the
background, runs your X sessions, presents you with a login box and then
tells you to piss off because you forgot your password.  It does pretty much
everything that you would want to use xdm for, but doesn't involve as much
crack.  It doesn't use any code from xdm, and has a more paranoid and safer
design overall.  It also includes many features over xdm, the biggest one of
which is that it is more user friendly, even if your X setup is failing.  The
goal is that users should never, ever have to use the command line to
customize or troubleshoot gdm.  It of course supports xdmcp, and in fact
extends xdmcp a little bit in places where I thought xdm was lacking (but is
still compatible with xdm's xdmcp).


Highlights of (see further for and stuff):

 Security issues were not part of original release notes and
 are not present in the NEWS file in the tarball just
 in case you are wandering.  This is because and came out more then a week ago and the issues weren't
 public yet.

- Backport the errorgui from HEAD, easier then fixing
  the bugs.  This is the ~/.xsession-errors security
  fix mentioned above.

- Actually insure /tmp/.ICE-unix (#118878)

- Fix some crashes in main daemon.  This is the XDMCP crashes
  mentioned above.

- Fix the language checking code to not mess up when LC_ALL
  and LC_MESSAGES are not the same

Highlights of

- Memory profiling of the graphical greeter by not keeping
  around info (pixmaps) which we won't need.  On the circles
  theme this saves about 6megs on the circles theme.
  Also cache pixmaps in the graphical greeter which reduces
  the disk rattling we need to do to start up.  Plus a bit
  of just performance profiling should reduce CPU usage of
  the graphical greeter quite a bit too.

- Update the manual, especially the theme section

- The UserAuthDir now works in a much saner way.  If the
  directory is not tilde expanded, then we treat it just
  like /tmp and use random filenames.

- Prevent a minor DoS attack (apps being coerced to fill
  up the home dir) by intercepting the output from the
  session and only writing to the ~/.xsession-errors
  file a maximum of 80*2500 bytes.

- The user lists in the face browsers and the gdmsetup are
  now capped at a higher number, but we also cap the time
  that is spent gathering the info at 5 seconds.

- Deal with hypothetical main daemon crashes semi decently
  in the slave.

- Try /dev/fd if /proc/self/fd isn't there for checking
  which FDs are open, should make this work on more platforms
  (in particular FreeBSD)

- Run fbconsole on startup if found, this is a solaris
  thing to prevent console output to corrupt your display
  (Brian Cameron)

- Use the 66 code from session to indicate failure that
  need not display the .xsession-errors file

- Actually read the "active" state for text items

- Break all pam messages (not just the error) at 50
  columns.  This is kind of a hack, we need to support
  proper linebreaking in the theme.

- Respect negative coordinates with "-0" in the

- Display help from the setup program if not running
  from within gdm itself

- The standard config file now has most keys commented out
  so that the internal defaults are used and so that we can
  change those defaults in the future without the user having
  to update the config file.

- Improvements in the cookie generation.  Doesn't use
  up all the system entropy but just uses the 16 bytes it
  actually needs (since we just need a 16 byte cookie).
  Plus improve randomness on systems without /dev/random
  and friends.

- Correctly handle out of diskspace on auth handling and
  on the PID file thing.

- Fix the runlevel reading

- Fix possible crash on auth purge

- Fix possible chooser crash

- Fix lots of minor bugs

- Some soptimization to save a nanosecond or two

- Translation updates (Wang Jian, Funda Wang, Christian Rose, Jordi Mallach,
  Danilo Segan, Artur Flinta, Miloslav Trmac, Duarte Loreto, Kostas Papadimas,
  Ales Nyakhaychyk, Laurent Dhima, Christophe Merlet,
  Evandro Fernandes Giovanini, Metin Amiroff, Pauli Virtanen, Dafydd Harries) SECURITY ADDENDUM:
  Was not part of the original release notes to give distributors a chance
  to update.

- SECURITY: Fixed CAN-2003-0547 which allows any user to read any
  root readable text file on the system by making a symlink from

- SECURITY: Fixed CAN-2003-0548, a crash when chosen host expires.
  DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
  network anyway)

- SECURITY: Fixed CAN-2003-0549, a crash if authorization key name
  is shorter then 18 bytes (that is, not MIT-MAGIC-COOKIE-1)
  DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
  network anyway) stuff:

- Fix #118878 by actually ensuring /tmp/.ICE-unix

- More doc updates

- Fix up rlimit use and handle cases where we ourself
  hit SIGXCPU and SIGXFSZ.  Also handle SIGABRT cleanly
  in the main daemon.

- The error gui uses the same theme as the greeters

- The pam config files don't include the /lib/security
  prefix as apparently it's more kosher to let pam
  find the modules itself

- Fix some crashes in main daemon, fix debug output in places

- A whole pile of minor XDMCP updates

- Fix solaris build (Brian Cameron)

- Limit users in face browsers above 100 not 50

- Remove any mentions of SessionMaxFile as it isn't used anymore

- Some typos fixed (Jordi Mallach)

- Translation updates (Jordi Mallach, Artur Flinta, Christian Rose,
  Miloslav Trmac, Kostas Papadimas, Duarte Loreto, Ole Laursen,
  Danilo Segan, Christian Neumair)

Note:  GDM2 was originally written by Martin K. Petersen <mkp mkp net>, and
has for a while now been maintained by the Queen of England.  She is usually
not responsive to bug reports or feature requests.  You can try to send them
to me however.

Note2:  If installing from the tarball do note that make install overwrites
most of the setup files, all except gdm.conf.  It will however save backups
with the .orig extension first.

Note3:  Note3 has been depracated ...



Sorry no RPMS.  There is a spec file included in the tarball and it may or
not work (it should, and it did some time ago but I haven't tried it lately).

Have fun,
(or as in the immortal words of Chema: "Have sex,")


PS:  I think we're saving electricity in this incredibly hot summer as we
don't have to heat the fish water.  Though it's a few degrees higher then
should be, but I still sometimes feel like I want to just jump in there to
cool down.  You'd think that living close to the coast in San Diego you never
need AC.  That's another thing we're saving money on.  Because if we had AC
we'd be using it.  Then again we're running all the fans we have full time,
so perhaps we're not saving that much.  I'm contemplating crawling into the
freezer to cool down, but I'm so sweaty, I fear all the sweat would freeze
and I wouldn't be able to move and get out.  Plus the freezer smells like
bloodworms that we have there for the fish.

George <jirka 5z com>
   Zivot je kratkej a posranej, jako zebricek do kurniku.
                       -- Neznamy

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]