-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/11/2013 05:47 PM, Alan Coopersmith wrote: > It's been suggested we get a CVE id assigned for this recent fix to > the xdm display/login manager from X.Org: > > http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=8d1eb5c74413e4c9a21f689fc106949b121c0117 > > Without this fix, if xdm is built to use raw crypt() > authentication, instead of a higher level system such as PAM or BSD > Auth, and that crypt() function can return a NULL pointer (as glibc > 2.17+ does for invalid input, such as when an account is locked by > prepending a "!" to the password field), then attempting to login > to such an account via xdm can crash the xdm daemon. > > For single user console machines, this generally just means you get > the text console login prompt instead. For machines set up to > support multiple seats, remote XDMCP access, or X terminals (such > as LTSP setups using xdm), this may be a denial of service for > users on those other seats/terminals /devices. >
Please use CVE-2013-2179 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRulxTAAoJEBYNRVNeJnmTI9wP/1LWPFOfR+/Z/1mM77kBbt+K WqXL20xy5rXRKSYUCDAIE2QLwK+FFwoEP8kB0SzYAp2KQ/Tnq99HWN8Xdb0lT3+A sxQF5Dy8DCYr5ME5lvYraYxRyFOqal3mx3TGY9dGvzBGB4iOsJ24xPrPzz4uA0iv IGnltkD1dHiHbVfIsYqrFrdXqN8q1NyRJHWV+L2mLW/iGfIIpw1W289x/8xjBd8Y ZEfckYr8aLpq5kkf8KT3ua+C0Y99U0n7+TFcxgFPmCkgE57U4dzpFdbAV6iJ69hw ahyB62MQT6WFtSvUqnl0VP+CclgKZyDvkxzyPkWFBFIuQqTyDOMqyzPXrF9v9C1p idVxpEHK3w1bdWGrJswYtTqWHE+4PEjeiMYJSDIw/pnINT99z349wlK2tLixCt+z CGEMelGZvAIgL8pvEnnKfrip0nRbjIFvJGMrdC6uLHNsQvkosMDx7zSOteq60L+d /yZxOFGjH2+BxFJfSobAlY28E8XTUvG+8o0SEBGq82oPbbAL5KBbbEw9XGcERTT8 rQ0f8xd8Cvdw9fLaVg0FWDircqqtVNhFGwy1tAUE9NokFZlN94ljV5+F7Bhi1OHA MuRP5doyWSD+4EsGBG1HhIKAj4spszGp/nl4PTu+aAVx0+209RUMmWCH06h2LbIj 4YqMWveDHUo7h+FXZu9z =VM3h -----END PGP SIGNATURE----- _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
