Debian Bug report logs - #63876
buffer overflow in gdm

Package: gdm; Maintainer for gdm is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: joey@infodrom.north.de (Martin Schulze)

Date: Wed, 10 May 2000 07:48:00 UTC

Severity: fixed

Done: Ryan Murray <rmurray@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Ryan Murray <rmurray@cyberhqz.com>:
Bug#63876; Package gdm. Full text and rfc822 format available.

Acknowledgement sent to joey@infodrom.north.de (Martin Schulze):
New Bug report received and forwarded. Copy sent to security@debian.org, Ryan Murray <rmurray@cyberhqz.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: joey@finlandia.Infodrom.North.DE (Martin Schulze)
To: submit@bugs.debian.org
Subject: buffer overflow in gdm
Date: Wed, 10 May 2000 09:43:41 +0200 (CEST)
Package: gdm
Severity: important

It was reported on bugtraq.

This patch comes from Miguel de Icaza:

--- gdm-2.0beta4/daemon/xdmcp.c.orig    Tue May  9 19:55:08 2000
+++ gdm-2.0beta4/daemon/xdmcp.c Tue May  9 19:55:14 2000
@@ -467,7 +467,7 @@
        port = port*256+clnt_port.data[i];

     /* Find client address. Ugly, ugly. Endianness sucks... */
-    memmove (&ia.s_addr, clnt_addr.data, clnt_addr.length);
+    memmove (&ia.s_addr, clnt_addr.data, sizeof (ia.s_addr));

     gdm_debug ("gdm_xdmcp_handle_forward_query: Got FORWARD_QUERY from display: %s, port %d",
               inet_ntoa (ia), port);


System Information:
Linux finlandia 2.0.36 #12 Tue Jan 26 22:09:07 MET 1999 i686 unknown

Versions of packages gdm depends on:
libc6                       2.
ldso                        1.


Regards,

	Joey

-- 
Those who don't understand Unix are condemned to reinvent it, poorly.



Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Murray <rmurray@cyberhqz.com>:
Bug#63876; Package gdm. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@mors.wiggy.net>:
Extra info received and forwarded to list. Copy sent to Ryan Murray <rmurray@cyberhqz.com>. Full text and rfc822 format available.

Message #10 received at 63876@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@mors.wiggy.net>
To: Martin Schulze <joey@infodrom.north.de>, 63876@bugs.debian.org
Subject: Re: Bug#63876: buffer overflow in gdm
Date: Wed, 10 May 2000 14:36:54 +0200
[Message part 1 (text/plain, inline)]
Previously Martin Schulze wrote:
>      /* Find client address. Ugly, ugly. Endianness sucks... */
> -    memmove (&ia.s_addr, clnt_addr.data, clnt_addr.length);
> +    memmove (&ia.s_addr, clnt_addr.data, sizeof (ia.s_addr));

That comment makes no sense there, there is no endianness conversion
at all here, and the previous clnt_addr.length is a completely
unsafe value directly taken from the network... geez.

Wichert.

-- 
  _________________________________________________________________
 / Generally uninteresting signature - ignore at your convenience  \
| wichert@liacs.nl                    http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryan Murray <rmurray@cyberhqz.com>:
Bug#63876; Package gdm. Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <rhertzog@hrnet.fr>:
Extra info received and forwarded to list. Copy sent to Ryan Murray <rmurray@cyberhqz.com>. Full text and rfc822 format available.

Message #15 received at 63876@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <rhertzog@hrnet.fr>
To: Martin Schulze <joey@infodrom.north.de>, 63876@bugs.debian.org
Cc: debian-private@lists.debian.org
Subject: Re: Bug#63876: buffer overflow in gdm
Date: Thu, 11 May 2000 01:23:58 +0200
Le Wed, May 10, 2000 at 09:43:41AM +0200, Martin Schulze écrivait:
> Package: gdm
> Severity: important
> 
> It was reported on bugtraq.

A fixed package is already in incoming. Ryan has done a great job. :)
I'll leave it to him to close this bug once the package is installed.

Cheers,



Severity set to `fixed'. Request was from Raphael Hertzog <hertzog@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Ryan Murray <rmurray@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to joey@infodrom.north.de (Martin Schulze):
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 63876-close@bugs.debian.org (full text, mbox):

From: Ryan Murray <rmurray@debian.org>
To: 57806-close@bugs.debian.org, 59042-close@bugs.debian.org, 59044-close@bugs.debian.org, 59176-close@bugs.debian.org, 61968-close@bugs.debian.org, 63255-close@bugs.debian.org, 63680-close@bugs.debian.org, 63876-close@bugs.debian.org
Subject: bugs fixed in gdm 2.0-0.beta4.9
Date: Wed, 24 May 2000 12:41:43 -0700
I believe that the bug you reported is fixed in the latest version of
gdm, which has been installed in the Debian FTP archive:

gdm_2.0.orig.tar.gz
  to  dists/potato/main/source/x11/gdm_2.0.orig.tar.gz
  and dists/woody/main/source/x11/gdm_2.0.orig.tar.gz
  replacing gdm_2.0.orig.tar.gz
gdm_2.0-0.beta4.9.diff.gz
  to  dists/potato/main/source/x11/gdm_2.0-0.beta4.9.diff.gz
  and dists/woody/main/source/x11/gdm_2.0-0.beta4.9.diff.gz
  replacing gdm_2.0-0.beta4.8.diff.gz
gdm_2.0-0.beta4.9.dsc
  to  dists/potato/main/source/x11/gdm_2.0-0.beta4.9.dsc
  and dists/woody/main/source/x11/gdm_2.0-0.beta4.9.dsc
  replacing gdm_2.0-0.beta4.8.dsc
gdm_2.0-0.beta4.9_i386.deb
  to  dists/potato/main/binary-i386/x11/gdm_2.0-0.beta4.9.deb
  and dists/woody/main/binary-i386/x11/gdm_2.0-0.beta4.9.deb
  replacing gdm_2.0-0.beta4.8.deb

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to rmurray@debian.org
and the maintainer will reopen the bug report if appropriate.

Ryan Murray <rmurray@debian.org> (supplier of updated gdm package)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed, 10 May 2000 02:24:59 -0700
Source: gdm
Binary: gdm
Architecture: source i386
Version: 2.0-0.beta4.9
Distribution: unstable frozen
Urgency: high
Maintainer: Ryan Murray <rmurray@cyberhqz.com>
Description: 
 gdm        - GNOME Display Manager
Closes: 57806 59042 59044 59176 61968 63255 63680 63876
Changes: 
 gdm (2.0-0.beta4.9) unstable frozen; urgency=high
 .
   * Fix several security related bugs, including one grave bug
     (closes: #63255, #61968)
   * Fix for /etc/environment being read twice (closes: #59042)
   * Fix for LANG not being set correctly, based on a patch used by
     redhat (closes: #59044)
   * Added translations for new locales from CVS.
   * Removed checking for pidfile in gdm code, as start-stop-daemon does
     a better job, for Debian.
   * Added --name to start-stop-daemon line (closes: #59176)
   * Set default locale in LANG before starting gdmlogin.  This makes
     GDM's text localized to the setting of DefaultLocale in gdm.conf
     (closes: #57806)
   * Changed build system to dbs, from patch system used by egcs at some
     point.
   * Fix reference of gdmgreeter in gdmlogin manpage (closes: #63680)
   * Fix for buffer overflow in xdmcp.c (closes: #63876)
Files: 
 f71363987ac67aa2dd287bc6c30ed14f 657 x11 optional gdm_2.0-0.beta4.9.dsc
 355deee071d6de6632b172527b1f259f 61376 x11 optional gdm_2.0-0.beta4.9.diff.gz
 a86b5ffb1b4d15460e365f1da404dcd9 183182 x11 optional gdm_2.0-0.beta4.9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5GSuPN2Dbz/1mRasRAgZxAKCycV2LQfDJjMaY+v0dMefOzbWkKACZART3
Rh3cSThIzOySJtAT65TPYiI=
=Eo+z
-----END PGP SIGNATURE-----



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:16:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.