MDKSA-2003:085

Package name

gdm

Date

2003-08-21

Advisory ID

MDKSA-2003:085

Affected versions

9.1 i586 , CS2.1 i586 , 9.1 i586 , 9.0 i586 , CS2.1 x86_64

Problem description

Several vulnerabilities were discovered in versions of gdm prior to 2.4.1.6. The first vulnerability is that any user can read any text file on the system due to code originally written to be run as the user logging in was in fact being run as the root user. This code is what allows the examination of the ~/.xsession-errors file. If a user makes a symlink from this file to any other file on the system during the session and ensures that the session lasts less than ten seconds, the user can read the file provided it was readable as a text file. Another two vulnerabilities were found in the XDMCP code that could be exploited to crash the main gdm daemon which would inhibit starting any new sessions (although the current session would be unaffected). The first problem here is due to the indirect query structure being used right after being freed due to a missing 'continue' statement in a loop; this happens if a choice of server expired and the client tried to connect. The second XDMCP problem is that when authorization data is being checked as a string, the length is not checked first. If the data is less than 18 bytes long, the daemon may wander off the end of the string a few bytes in the strncmp which could cause a SEGV. These updated packages bring gdm to version 2.4.1.6 which is not vulnerable to any of these problems. Also note that XDMCP support is disabled by default in gdm.

Updated packages

9.1 i586

 0cb8fbd74766c4d0036cab36d57b6081  ppc/9.1/RPMS/gdm-2.4.1.6-0.3mdk.ppc.rpm
fb0df358c4d6c9a7cf3982c4d3258004  ppc/9.1/RPMS/gdm-Xnest-2.4.1.6-0.3mdk.ppc.rpm
91f0ff2421135e32f604d6cb82081439  ppc/9.1/SRPMS/gdm-2.4.1.6-0.3mdk.src.rpm

CS2.1 i586

 47a2d84bfff0e842657e789e085b434d  corporate/2.1/RPMS/gdm-2.4.1.6-0.2mdk.i586.rpm
8536d89374219e42ad6ca6c441ffb0d1  corporate/2.1/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.i586.rpm
35ab7f8231548f1daa4571bfb5e77054  corporate/2.1/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm

9.1 i586

 9d8a97cc5f475f16eeb73caa9d7d8e6b  9.1/RPMS/gdm-2.4.1.6-0.3mdk.i586.rpm
4f866c5b5b4903d1b0751bcb6dc28d0f  9.1/RPMS/gdm-Xnest-2.4.1.6-0.3mdk.i586.rpm
91f0ff2421135e32f604d6cb82081439  9.1/SRPMS/gdm-2.4.1.6-0.3mdk.src.rpm

9.0 i586

 47a2d84bfff0e842657e789e085b434d  9.0/RPMS/gdm-2.4.1.6-0.2mdk.i586.rpm
8536d89374219e42ad6ca6c441ffb0d1  9.0/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.i586.rpm
35ab7f8231548f1daa4571bfb5e77054  9.0/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm

CS2.1 x86_64

 252fc231c85e88411ca50a05f0404688  x86_64/corporate/2.1/RPMS/gdm-2.4.1.6-0.2mdk.x86_64.rpm
3f8b47c14e0d7fc4c2d76171e3ee0b5a  x86_64/corporate/2.1/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.x86_64.rpm
35ab7f8231548f1daa4571bfb5e77054  x86_64/corporate/2.1/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0547
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0548
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0549