OpenSuSE has issued an advisory today (July 2): http://lists.opensuse.org/opensuse-updates/2013-07/msg00002.html Only Mageia 3 and Cauldron are affected as they have glibc 2.17. Patched packages uploaded for Mageia 3 and Cauldron. Note to QA: there are more details in the OpenSuSE bug, including how to potentially reproduce this issue. Given what the first sentence of the advisory below says, we may not be vulnerable to this, as our configure call during the xdm build has "--with-pam" so we should test for this. If we are not vulnerable, we can just close this as INVALID. https://bugzilla.novell.com/show_bug.cgi?id=824884 Advisory: ======================== Updated xdm package fixes security vulnerability: If xdm is built to use raw crypt() authentication, instead of a higher level system such as PAM or BSD Auth, and that crypt() function can return a NULL pointer, as it can under certain circumstances with glibc 2.17, then attempting to login to such an account via xdm can crash the xdm daemon. For some setups, this may be a denial of service for other users of the machine (CVE-2013-2179). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2179 http://lists.opensuse.org/opensuse-updates/2013-07/msg00002.html ======================== Updated packages in core/updates_testing: ======================== xdm-1.1.11-8.1.mga3 from xdm-1.1.11-8.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Confirmed that we're not vulnerable. Set to use XDM and locked a user account. Trying to log in with that account just gave the message that the login was incorrect rather than causing a crash. Adding sysadmin, could somebody please remove xdm-1.1.11-8.1.mga3.src.rpm from 3 core/updates_testing. The bug can then be closed as invalid. Thanks.
CC: (none) => sysadmin-bugs
Adding feedback marker til it's done
Whiteboard: (none) => feedback
xdm removed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => INVALID