*** This bug is a security vulnerability ***
You have been subscribed to a public security bug:
[Impact]
An incorrectly configured XDMCP server will start without authentication
instead of disabling XDMCP / stopping LightDM.
[Test Case]
1. Set up LightDM to run an XDMCP server using an XDM authentication key, i.e.
in lightdm.conf:
[XDMCPServer]
enabled=true
key=key-name
2. Do not create /etc/lightdm/keys.conf or do not define 'key-name' in
keys.conf.
3. Start LightDM
4. Connect XDMCP client.
Expected result:
Either LightDM doesn't start or the XDMCP server doesn't start.
Observed result:
XDMCP server starts without authentication, any XDMCP client is able to
connect. Debug message printed to log warning about missing key, but not easy
to spot.
[Regression Potential]
Low - change is to not start LightDM if this case occurs. This could affect
someone who currently has a misconfigured LightDM. In this case a warning
message is printed to the log.
** Affects: lightdm
Importance: Medium
Assignee: Robert Ancell (robert-ancell)
Status: Fix Released
** Affects: lightdm/1.10
Importance: Medium
Assignee: Robert Ancell (robert-ancell)
Status: Fix Released
** Affects: lightdm/1.14
Importance: Medium
Assignee: Robert Ancell (robert-ancell)
Status: Fix Released
** Affects: lightdm/1.16
Importance: Medium
Assignee: Robert Ancell (robert-ancell)
Status: Fix Released
** Affects: lightdm/1.2
Importance: Medium
Assignee: Robert Ancell (robert-ancell)
Status: Fix Released
** Affects: lightdm (Ubuntu)
Importance: Undecided
Status: New
--
XDMCP server starts without authentication if configured key does not exist
https://bugs.launchpad.net/bugs/1517685
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
