Re: ANNOUNCE: (SECURITY) GDM 2.4.1.6 (stable) and GDM 2.4.2.101 (unstable), the "I 0wn3rz y0ur f1lez" release

[Luis Villa <louie ximian com>]

Speaking as a vendor, it would have been nice if we'd been alerted that
2.4.16 was a security release before this announcement. Is that
something we need to think about formalizing a little bit? Or is it
something we'd formalized ages ago and I didn't know about? :) 

Luis

On Wed, 2003-08-20 at 19:40, George wrote:
> WHACKYWHACKYWHACKYWHACK
> 
> (If you have no clue what gdm is, skip a few paragraphs down first)
> 
> It is time again, yes you guessed it, for a security announcement.  After
> some auditing of code I found 3 issues with it, one of them being fairly
> serious.  Here are the descriptions and CVE numbers
> 
> CAN-2003-0547 which allows any user to read any root readable text file on
> the system by making a symlink from ~/.xsession-errors.  This affects all
> GNOME2 versions.
> 
> CAN-2003-0548, a crash when chosen host expires.  DoS only for XDMCP (XDMCP
> should however be confined to a 'trusted' network anyway).  This affects
> all versions from 2.0beta2 forward really.
> 
> CAN-2003-0549, a crash if authorization key name is shorter then 18 bytes
> (that is, not MIT-MAGIC-COOKIE-1) DoS only for XDMCP (XDMCP should however be
> confined to a 'trusted' network anyway).  This affects all versions that
> had XDMCP.  Some distributors shipped a patch at some point which managed
> to fix this though.
> 
> Mostly people would be affected by the first one as XDMCP should be off
> by default and if it is on, you should really confine it to a 'trusted'
> network as you can always pretty much DoS an XDMCP server because of the
> way XDMCP works.
> 
> On the slightly silly news front, the cookie generation in the devel version
> is now utterly overengineered.  The plus side of that is that you should
> really get really REALLY random cookies even on systems with no /dev/random
> and friends and no /proc.  Also it now doesn't waste all your kernel entropy
> just for generating a 16 byte cookie.
> 
> In addition to auditing code for security problems, and making sure that
> all random bits are really random, I've also done some optimizations,
> mainly in the graphical greeter.  This cuts down on the memory usage by
> quite a bit, saving about 6megs for me on the circles theme, plus 
> some optimization of CPU usage and disk access.  Some utterly useless
> soptimization was also done making the code a few nanoseconds faster.
> The manual has also been updated, including some XDM bashing (as if you
> didn't already know that it so obviously sucks:)
> 
> No new longjmp usage, however the following statistic should be of similar
> interest:
> 
>  devgnome pipina:/gnome/head/cvs/gdm2% grep goto **/*.c | wc -l
>       79
>  devgnome pipina:/gnome/head/cvs/gdm2%
> 
> And now for the standard part of the release announcement:
> 
> GDM is the GNOME Display Manager, it is the little proggie that runs in the
> background, runs your X sessions, presents you with a login box and then
> tells you to piss off because you forgot your password.  It does pretty much
> everything that you would want to use xdm for, but doesn't involve as much
> crack.  It doesn't use any code from xdm, and has a more paranoid and safer
> design overall.  It also includes many features over xdm, the biggest one of
> which is that it is more user friendly, even if your X setup is failing.  The
> goal is that users should never, ever have to use the command line to
> customize or troubleshoot gdm.  It of course supports xdmcp, and in fact
> extends xdmcp a little bit in places where I thought xdm was lacking (but is
> still compatible with xdm's xdmcp).
> 
> News:
> =====
> 
> Highlights of 2.4.1.6 (see further for 2.4.2.100 and 2.4.2.101 stuff):
> 
>  Security issues were not part of original release notes and
>  are not present in the NEWS file in the 2.4.1.6 tarball just
>  in case you are wandering.  This is because 2.4.1.6 and
>  2.4.2.100 came out more then a week ago and the issues weren't
>  public yet.
> 
> - Backport the errorgui from HEAD, easier then fixing
>   the bugs.  This is the ~/.xsession-errors security
>   fix mentioned above.
> 
> - Actually insure /tmp/.ICE-unix (#118878)
> 
> - Fix some crashes in main daemon.  This is the XDMCP crashes
>   mentioned above.
> 
> - Fix the language checking code to not mess up when LC_ALL
>   and LC_MESSAGES are not the same
> 
> 
> Highlights of 2.4.2.101:
> 
> - Memory profiling of the graphical greeter by not keeping
>   around info (pixmaps) which we won't need.  On the circles
>   theme this saves about 6megs on the circles theme.
>   Also cache pixmaps in the graphical greeter which reduces
>   the disk rattling we need to do to start up.  Plus a bit
>   of just performance profiling should reduce CPU usage of
>   the graphical greeter quite a bit too.
> 
> - Update the manual, especially the theme section
> 
> - The UserAuthDir now works in a much saner way.  If the
>   directory is not tilde expanded, then we treat it just
>   like /tmp and use random filenames.
> 
> - Prevent a minor DoS attack (apps being coerced to fill
>   up the home dir) by intercepting the output from the
>   session and only writing to the ~/.xsession-errors
>   file a maximum of 80*2500 bytes.
> 
> - The user lists in the face browsers and the gdmsetup are
>   now capped at a higher number, but we also cap the time
>   that is spent gathering the info at 5 seconds.
> 
> - Deal with hypothetical main daemon crashes semi decently
>   in the slave.
> 
> - Try /dev/fd if /proc/self/fd isn't there for checking
>   which FDs are open, should make this work on more platforms
>   (in particular FreeBSD)
> 
> - Run fbconsole on startup if found, this is a solaris
>   thing to prevent console output to corrupt your display
>   (Brian Cameron)
> 
> - Use the 66 code from session to indicate failure that
>   need not display the .xsession-errors file
> 
> - Actually read the "active" state for text items
> 
> - Break all pam messages (not just the error) at 50
>   columns.  This is kind of a hack, we need to support
>   proper linebreaking in the theme.
> 
> - Respect negative coordinates with "-0" in the
>   theme
> 
> - Display help from the setup program if not running
>   from within gdm itself
> 
> - The standard config file now has most keys commented out
>   so that the internal defaults are used and so that we can
>   change those defaults in the future without the user having
>   to update the config file.
> 
> - Improvements in the cookie generation.  Doesn't use
>   up all the system entropy but just uses the 16 bytes it
>   actually needs (since we just need a 16 byte cookie).
>   Plus improve randomness on systems without /dev/random
>   and friends.
> 
> - Correctly handle out of diskspace on auth handling and
>   on the PID file thing.
> 
> - Fix the runlevel reading
> 
> - Fix possible crash on auth purge
> 
> - Fix possible chooser crash
> 
> - Fix lots of minor bugs
> 
> - Some soptimization to save a nanosecond or two
> 
> - Translation updates (Wang Jian, Funda Wang, Christian Rose, Jordi Mallach,
>   Danilo Segan, Artur Flinta, Miloslav Trmac, Duarte Loreto, Kostas Papadimas,
>   Ales Nyakhaychyk, Laurent Dhima, Christophe Merlet,
>   Evandro Fernandes Giovanini, Metin Amiroff, Pauli Virtanen, Dafydd Harries)
> 
> 2.4.2.100 SECURITY ADDENDUM:
>   Was not part of the original release notes to give distributors a chance
>   to update.
> 
> - SECURITY: Fixed CAN-2003-0547 which allows any user to read any
>   root readable text file on the system by making a symlink from
>   ~/.xsession-errors
> 
> - SECURITY: Fixed CAN-2003-0548, a crash when chosen host expires.
>   DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
>   network anyway)
> 
> - SECURITY: Fixed CAN-2003-0549, a crash if authorization key name
>   is shorter then 18 bytes (that is, not MIT-MAGIC-COOKIE-1)
>   DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
>   network anyway)
> 
> 2.4.2.100 stuff:
> 
> - Fix #118878 by actually ensuring /tmp/.ICE-unix
> 
> - More doc updates
> 
> - Fix up rlimit use and handle cases where we ourself
>   hit SIGXCPU and SIGXFSZ.  Also handle SIGABRT cleanly
>   in the main daemon.
> 
> - The error gui uses the same theme as the greeters
> 
> - The pam config files don't include the /lib/security
>   prefix as apparently it's more kosher to let pam
>   find the modules itself
> 
> - Fix some crashes in main daemon, fix debug output in places
> 
> - A whole pile of minor XDMCP updates
> 
> - Fix solaris build (Brian Cameron)
> 
> - Limit users in face browsers above 100 not 50
> 
> - Remove any mentions of SessionMaxFile as it isn't used anymore
> 
> - Some typos fixed (Jordi Mallach)
> 
> - Translation updates (Jordi Mallach, Artur Flinta, Christian Rose,
>   Miloslav Trmac, Kostas Papadimas, Duarte Loreto, Ole Laursen,
>   Danilo Segan, Christian Neumair)
> 
> Note:  GDM2 was originally written by Martin K. Petersen <mkp mkp net>, and
> has for a while now been maintained by the Queen of England.  She is usually
> not responsive to bug reports or feature requests.  You can try to send them
> to me however.
> 
> Note2:  If installing from the tarball do note that make install overwrites
> most of the setup files, all except gdm.conf.  It will however save backups
> with the .orig extension first.
> 
> Note3:  Note3 has been depracated ...
> 
> Downloading:
> ============
> 
> Webpage: http://www.jirka.org/gdm.html
> http://ftp.gnome.org/pub/GNOME/sources/gdm/2.4/
> ftp://ftp.5z.com/pub/gdm/
> 
> Sorry no RPMS.  There is a spec file included in the tarball and it may or
> may
> not work (it should, and it did some time ago but I haven't tried it lately).
> 
> Have fun,
> (or as in the immortal words of Chema: "Have sex,")
> 
> George
> 
> PS:  I think we're saving electricity in this incredibly hot summer as we
> don't have to heat the fish water.  Though it's a few degrees higher then
> should be, but I still sometimes feel like I want to just jump in there to
> cool down.  You'd think that living close to the coast in San Diego you never
> need AC.  That's another thing we're saving money on.  Because if we had AC
> we'd be using it.  Then again we're running all the fans we have full time,
> so perhaps we're not saving that much.  I'm contemplating crawling into the
> freezer to cool down, but I'm so sweaty, I fear all the sweat would freeze
> and I wouldn't be able to move and get out.  Plus the freezer smells like
> bloodworms that we have there for the fish.