Bug 10682

Summary: xdm new security issue CVE-2013-2179
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/557263/
Whiteboard: feedback
Source RPM: xdm-1.1.11-8.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-03 00:18:11 CEST 
OpenSuSE has issued an advisory today (July 2):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00002.html

Only Mageia 3 and Cauldron are affected as they have glibc 2.17.

Patched packages uploaded for Mageia 3 and Cauldron.

Note to QA: there are more details in the OpenSuSE bug, including how to potentially reproduce this issue.  Given what the first sentence of the advisory below says, we may not be vulnerable to this, as our configure call during the xdm build has "--with-pam" so we should test for this.  If we are not vulnerable, we can just close this as INVALID.
https://bugzilla.novell.com/show_bug.cgi?id=824884

Advisory:
========================

Updated xdm package fixes security vulnerability:

If xdm is built to use raw crypt() authentication, instead of a higher level
system such as PAM or BSD Auth, and that crypt() function can return a NULL
pointer, as it can under certain circumstances with glibc 2.17, then attempting
to login to such an account via xdm can crash the xdm daemon.  For some setups,
this may be a denial of service for other users of the machine (CVE-2013-2179).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2179
http://lists.opensuse.org/opensuse-updates/2013-07/msg00002.html
========================

Updated packages in core/updates_testing:
========================
xdm-1.1.11-8.1.mga3

from xdm-1.1.11-8.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-07-03 16:14:17 CEST 
Confirmed that we're not vulnerable.

Set to use XDM and locked a user account. Trying to log in with that account just gave the message that the login was incorrect rather than causing a crash.

Adding sysadmin, could somebody please remove xdm-1.1.11-8.1.mga3.src.rpm from 3 core/updates_testing. The bug can then be closed as invalid.

Thanks.

CC: (none) => sysadmin-bugs

Comment 2 claire robinson 2013-07-04 14:54:27 CEST 
Adding feedback marker til it's done

Whiteboard: (none) => feedback

Comment 3 Thomas Backlund 2013-07-09 22:24:12 CEST 
xdm removed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => INVALID