Bug 463927

Summary: CVE-2007-5079 gdm with xdmcp ignoring tcp_wrappers on x86_64 [rhel-4.9]
Product: Red Hat Enterprise Linux 4 Reporter: Ray Strode [halfline] <rstrode>
Component: gdmAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED WONTFIX QA Contact: desktop-bugs <desktop-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 4.9CC: loic.mahe, myates, security-response-team, syeghiay, tao, vdanen
Target Milestone: rcKeywords: Security, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: impact=low,source=bugzilla,reported=20060213,public=20060213
Fixed In Version: gdm-2.6.0.5-7.rhel4.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 15:35:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181302, 485811    

Description Ray Strode [halfline] 2008-09-25 14:30:44 UTC 
+++ This bug was initially created as a clone of Bug #181302 +++

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M; SV1)

Description of problem:
The x86_64 bit version of AS4 (fully patched) appears to ignore tcp_wrappers completely when using gdm with XDMCP. The 32 bit version of AS4 works perfectly so this bug appears to be restricted to the 64bit version. I suspect the problem with the wrappers on the 64 bit version may be a bit more general than just XDMCP access as I tested a telnet server and while the wrappers are not completely ignored connections are not refused cleanly (You donĂ¢t get the login prompt but you are still hooked up to the machine). The 32 bit version again works perfectly.

Version-Release number of selected component (if applicable):
tcp_wrappers

How reproducible:
Always

Steps to Reproduce:
1. Instll the OS
2. Configure gdmsetup to allow remote XDMCP conectivity
3. configure hosts.deny to restrict conections all:all
  

Actual Results:  no restriction to remote desktop

Expected Results:  remote desktop should have been refused

Additional info:
Comment 6 Tomas Hoger 2012-03-28 15:35:28 UTC 
Red Hat Enterprise Linux 4 was reached end of Production Phase and transitioned to Extended Life Phase.  Component 'gdm' is excluded from the RHEL 4 ELS coverage and therefore this bug is no longer needed.

Extended Life Cycle Support - Exclusions:
http://www.redhat.com/rhel/server/extended_lifecycle_support/exclusions/