ANNOUNCE: (SECURITY) GDM 220.127.116.11 (stable) and GDM 18.104.22.168 (unstable), the "I 0wn3rz y0ur f1lez" release
- From: George <jirka 5z com>
- To: gnome-announce-list gnome org, gdm SunSITE dk
- Subject: ANNOUNCE: (SECURITY) GDM 22.214.171.124 (stable) and GDM 126.96.36.199 (unstable), the "I 0wn3rz y0ur f1lez" release
- Date: Wed, 20 Aug 2003 16:40:01 -0700
(If you have no clue what gdm is, skip a few paragraphs down first)
It is time again, yes you guessed it, for a security announcement. After
some auditing of code I found 3 issues with it, one of them being fairly
serious. Here are the descriptions and CVE numbers
CAN-2003-0547 which allows any user to read any root readable text file on
the system by making a symlink from ~/.xsession-errors. This affects all
CAN-2003-0548, a crash when chosen host expires. DoS only for XDMCP (XDMCP
should however be confined to a 'trusted' network anyway). This affects
all versions from 2.0beta2 forward really.
CAN-2003-0549, a crash if authorization key name is shorter then 18 bytes
(that is, not MIT-MAGIC-COOKIE-1) DoS only for XDMCP (XDMCP should however be
confined to a 'trusted' network anyway). This affects all versions that
had XDMCP. Some distributors shipped a patch at some point which managed
to fix this though.
Mostly people would be affected by the first one as XDMCP should be off
by default and if it is on, you should really confine it to a 'trusted'
network as you can always pretty much DoS an XDMCP server because of the
way XDMCP works.
On the slightly silly news front, the cookie generation in the devel version
is now utterly overengineered. The plus side of that is that you should
really get really REALLY random cookies even on systems with no /dev/random
and friends and no /proc. Also it now doesn't waste all your kernel entropy
just for generating a 16 byte cookie.
In addition to auditing code for security problems, and making sure that
all random bits are really random, I've also done some optimizations,
mainly in the graphical greeter. This cuts down on the memory usage by
quite a bit, saving about 6megs for me on the circles theme, plus
some optimization of CPU usage and disk access. Some utterly useless
soptimization was also done making the code a few nanoseconds faster.
The manual has also been updated, including some XDM bashing (as if you
didn't already know that it so obviously sucks:)
No new longjmp usage, however the following statistic should be of similar
devgnome pipina:/gnome/head/cvs/gdm2% grep goto **/*.c | wc -l
And now for the standard part of the release announcement:
GDM is the GNOME Display Manager, it is the little proggie that runs in the
background, runs your X sessions, presents you with a login box and then
tells you to piss off because you forgot your password. It does pretty much
everything that you would want to use xdm for, but doesn't involve as much
crack. It doesn't use any code from xdm, and has a more paranoid and safer
design overall. It also includes many features over xdm, the biggest one of
which is that it is more user friendly, even if your X setup is failing. The
goal is that users should never, ever have to use the command line to
customize or troubleshoot gdm. It of course supports xdmcp, and in fact
extends xdmcp a little bit in places where I thought xdm was lacking (but is
still compatible with xdm's xdmcp).
Highlights of 188.8.131.52 (see further for 184.108.40.206 and 220.127.116.11 stuff):
Security issues were not part of original release notes and
are not present in the NEWS file in the 18.104.22.168 tarball just
in case you are wandering. This is because 22.214.171.124 and
126.96.36.199 came out more then a week ago and the issues weren't
- Backport the errorgui from HEAD, easier then fixing
the bugs. This is the ~/.xsession-errors security
fix mentioned above.
- Actually insure /tmp/.ICE-unix (#118878)
- Fix some crashes in main daemon. This is the XDMCP crashes
- Fix the language checking code to not mess up when LC_ALL
and LC_MESSAGES are not the same
Highlights of 188.8.131.52:
- Memory profiling of the graphical greeter by not keeping
around info (pixmaps) which we won't need. On the circles
theme this saves about 6megs on the circles theme.
Also cache pixmaps in the graphical greeter which reduces
the disk rattling we need to do to start up. Plus a bit
of just performance profiling should reduce CPU usage of
the graphical greeter quite a bit too.
- Update the manual, especially the theme section
- The UserAuthDir now works in a much saner way. If the
directory is not tilde expanded, then we treat it just
like /tmp and use random filenames.
- Prevent a minor DoS attack (apps being coerced to fill
up the home dir) by intercepting the output from the
session and only writing to the ~/.xsession-errors
file a maximum of 80*2500 bytes.
- The user lists in the face browsers and the gdmsetup are
now capped at a higher number, but we also cap the time
that is spent gathering the info at 5 seconds.
- Deal with hypothetical main daemon crashes semi decently
in the slave.
- Try /dev/fd if /proc/self/fd isn't there for checking
which FDs are open, should make this work on more platforms
(in particular FreeBSD)
- Run fbconsole on startup if found, this is a solaris
thing to prevent console output to corrupt your display
- Use the 66 code from session to indicate failure that
need not display the .xsession-errors file
- Actually read the "active" state for text items
- Break all pam messages (not just the error) at 50
columns. This is kind of a hack, we need to support
proper linebreaking in the theme.
- Respect negative coordinates with "-0" in the
- Display help from the setup program if not running
from within gdm itself
- The standard config file now has most keys commented out
so that the internal defaults are used and so that we can
change those defaults in the future without the user having
to update the config file.
- Improvements in the cookie generation. Doesn't use
up all the system entropy but just uses the 16 bytes it
actually needs (since we just need a 16 byte cookie).
Plus improve randomness on systems without /dev/random
- Correctly handle out of diskspace on auth handling and
on the PID file thing.
- Fix the runlevel reading
- Fix possible crash on auth purge
- Fix possible chooser crash
- Fix lots of minor bugs
- Some soptimization to save a nanosecond or two
- Translation updates (Wang Jian, Funda Wang, Christian Rose, Jordi Mallach,
Danilo Segan, Artur Flinta, Miloslav Trmac, Duarte Loreto, Kostas Papadimas,
Ales Nyakhaychyk, Laurent Dhima, Christophe Merlet,
Evandro Fernandes Giovanini, Metin Amiroff, Pauli Virtanen, Dafydd Harries)
184.108.40.206 SECURITY ADDENDUM:
Was not part of the original release notes to give distributors a chance
- SECURITY: Fixed CAN-2003-0547 which allows any user to read any
root readable text file on the system by making a symlink from
- SECURITY: Fixed CAN-2003-0548, a crash when chosen host expires.
DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
- SECURITY: Fixed CAN-2003-0549, a crash if authorization key name
is shorter then 18 bytes (that is, not MIT-MAGIC-COOKIE-1)
DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
- Fix #118878 by actually ensuring /tmp/.ICE-unix
- More doc updates
- Fix up rlimit use and handle cases where we ourself
hit SIGXCPU and SIGXFSZ. Also handle SIGABRT cleanly
in the main daemon.
- The error gui uses the same theme as the greeters
- The pam config files don't include the /lib/security
prefix as apparently it's more kosher to let pam
find the modules itself
- Fix some crashes in main daemon, fix debug output in places
- A whole pile of minor XDMCP updates
- Fix solaris build (Brian Cameron)
- Limit users in face browsers above 100 not 50
- Remove any mentions of SessionMaxFile as it isn't used anymore
- Some typos fixed (Jordi Mallach)
- Translation updates (Jordi Mallach, Artur Flinta, Christian Rose,
Miloslav Trmac, Kostas Papadimas, Duarte Loreto, Ole Laursen,
Danilo Segan, Christian Neumair)
Note: GDM2 was originally written by Martin K. Petersen <mkp mkp net>, and
has for a while now been maintained by the Queen of England. She is usually
not responsive to bug reports or feature requests. You can try to send them
to me however.
Note2: If installing from the tarball do note that make install overwrites
most of the setup files, all except gdm.conf. It will however save backups
with the .orig extension first.
Note3: Note3 has been depracated ...
Sorry no RPMS. There is a spec file included in the tarball and it may or
not work (it should, and it did some time ago but I haven't tried it lately).
(or as in the immortal words of Chema: "Have sex,")
PS: I think we're saving electricity in this incredibly hot summer as we
don't have to heat the fish water. Though it's a few degrees higher then
should be, but I still sometimes feel like I want to just jump in there to
cool down. You'd think that living close to the coast in San Diego you never
need AC. That's another thing we're saving money on. Because if we had AC
we'd be using it. Then again we're running all the fans we have full time,
so perhaps we're not saving that much. I'm contemplating crawling into the
freezer to cool down, but I'm so sweaty, I fear all the sweat would freeze
and I wouldn't be able to move and get out. Plus the freezer smells like
bloodworms that we have there for the fish.
George <jirka 5z com>
Zivot je kratkej a posranej, jako zebricek do kurniku.
] [Thread Prev