Date: Fri, 26 May 2000 07:58:04 +0200 (MEST)
From: Thomas Biege thomas@suse.de
To: suse-security-announce@suse.com
Subject: [suse-security-announce] SuSE Security Announcement:
gdm
SuSE Security Announcement
Package: gdm <= 2.0beta4-25
Date: Wed May 24 08:35:39 CET 2000
Affected SuSE versions: 6.2-6.4
Vulnerability Type: remote compromise
SuSE default package: no
Other affected systems: all linux systems using gdm <= 2.0beta4
A security hole was discovered in the package mentioned above.
Please update it as soon as possible or disable the service if you
are using this software on your SuSE Linux installation(s).
Other Linux distributions or operating systems might be affected
as well, please contact your vendor for information about this
issue.
Please note that we provide this information on an “as-is” basis
only. There is no warranty whatsoever and no liability for any
direct, indirect or incidental damage arising from this information
or the installation of the update package.
1. Problem Description
The GNOME package includes a xdm replacement called gdm for
handling graphical console and network logins. The gdm code, that
process’ logins over the network, could be tricked into writing
data from the network right into the stack. This condition exists
while gdm is running with root privileges and before the user is
authenticated.
2. Impact
An remote adversary could crash gdm or execute his own code,
which leads to root compromise of the system running gdm.
3. Solution
By default gdm doesn’t accept login connection from the network.
Older SuSE releases, which include gdm 1.x, allow network logins by
default but aren’t vulnerable by this bug. If you need the network
login feature of gdm, update the package from our FTP server,
please.
Please verify these md5 checksums of the updates before installing:
(For SuSE 6.0, please use the 6.1 updates)
AXP: ffb656afe38ee6e5c04789f8fce8b1a8 ftp://ftp.suse.com/pub/suse/axp/update/6.3/gnm2/gdm-2.0beta4-74.alpha.rpm f5c7bf9b8fd133e74481ecd6c0d5678e ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/gdm-2.0beta4-74.src.rpm 928d262fd9e8f1ff40e6f84b560daf7b ftp://ftp.suse.com/pub/suse/axp/update/6.4/gnm2/gdm-2.0beta4-74.alpha.rpm 6f8a0cc01b9b37f5d6b7bf93b138afb2 ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/gdm-2.0beta4-74.src.rpm i386: 8a8adfa55587b1db0cf9816e7d8839c6 ftp://ftp.suse.com/pub/suse/i386/update/6.2/gnm2/gdm-2.0beta4-72.i386.rpm fea8fda701692bea4fb658edc7a504ea ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/gdm-2.0beta4-72.src.rpm be26d14f8693d50002a5462c28a45d5a ftp://ftp.suse.com/pub/suse/i386/update/6.3/gnm2/gdm-2.0beta4-72.i386.rpm bcc226af12ce171d4aa41c6d490d2b8f ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/gdm-2.0beta4-72.src.rpm 372583d0633d4d0115e6f3bc8397cf16 ftp://ftp.suse.com/pub/suse/i386/update/6.4/gnm2/gdm-2.0beta4-72.i386.rpm 33896dd68321aa45c837da34547debf5 ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/gdm-2.0beta4-72.src.rpm
You can find updates on our ftp-Server:
ftp://ftp.suse.com/pub/suse/i386/update
for Intel processors
ftp://ftp.suse.com/pub/suse/axp/update
for Alpha processors
or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html
Our webpage for patches:
http://www.suse.de/patches/index.html
Our webpage for security announcements:
http://www.suse.de/security
If you want to report vulnerabilities, please contact security@suse.de
SuSE has got two free security mailing list services to which any
interested party may subscribe:
suse-security@suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are sent to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list.
To subscribe to the list, send a message to:
suse-security-subscribe@suse.com
To remove your address from the list, send a message to:
suse-security-unsubscribe@suse.com
Send mail to the following for info and FAQ for this list:
suse-security-info@suse.com