Bug 181302 (CVE-2007-5079)
Summary: | CVE-2007-5079 gdm with xdmcp ignoring tcp_wrappers on x86_64 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Peter Edgerton <p.edgerton> |
Component: | vulnerability | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | kseifried, loic.mahe, myates, security-response-team, tao, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-27 21:47:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 363011, 363021, 363031, 363041, 463927, 625916 | ||
Bug Blocks: |
Description
Peter Edgerton
2006-02-13 09:34:38 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. The gdm was not compiled and linked with tcp_wrappers on x86_64. The configure script looks for libwrap.a in /usr/lib which is not present on a x86_64 system. Also, the tcp_wrappers BuildRequires is completely missing. Thanks for catching this, I'll be filling the same bug for RHEL5 and Fedoras. CVE name was assigned to this issue - CVE-2007-5079. Reassigning bug to Security Response product. Tomas, Ray, can you confirm which versions are affected? Besides RHEL4 in original report, RHEL3 version seems to be affected too. But I'm bit confused about RHEL5 and Fedora, as gdm-binary does not seem to link against libwrap there even on i386. Is that intentional? Any release that uses /usr/lib64 is affected. Fedora tries to avoid putting bloat in the default buildroot, so it's completely possible that the missing BuildRequires caused newer builds not to be linked with tcp_wrappers at all. The bugzillas for el5 and fedora follow: bug 239818, bug 239820 Ray: Though I personally do not consider this to be a security issue, but a feature issue, it seems that some other people don't think so, so I'd be glad if you rolled new packages that would be built with tcp_wrappers and submitted an update. Please let me know if you think this is not wise and might break some configutations. I'm okay with doing an update to fix this problem. The current version of gdm (2.6.0.5-7.rhel4.19 - 10 Apr 2008) still doesn't include the correction. Do you plan to take this into account in a future release ? Thanks. Hi Loic, This bug is currently being evaluated for inclusion in a future update. It's likely that this fix would go in with other GDM fixes, but not necessarily as an errata on its own. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0657 https://rhn.redhat.com/errata/RHSA-2010-0657.html |