Bugtraq mailing list archives
Re: XFree86: xdm xdmcp code in wdm also
From: Jerome.Alet () UNICE FR (Jerome ALET)
Date: Tue, 20 Jun 2000 19:35:16 +0200
On Tue, Jun 20, 2000 at 05:42:10AM -1000, Brian Russo wrote:
wdm (wings display manager) - http://www.tcscs.com/wdm/, is basically xdm with WINGs handling the graphical elements. The bulk of the core code is directly pulled from xdm, indeed the tarball of version 1.20 I pulled from the above URL, included xdm-3.3.2 code in a tarball - although the above URL mentioned : " wdm-1.20 -- Feb 29, 2000 ... corrected by replacing some xdm-3.3.2 code with xdm-3.3.6. I think all the xdm stuff definitely should be udpated [sic]
English is not my native language, sorry ! Of course in fact I wanted to write "updated", but english people should prefer "upgraded" I suppose ?
to the latest version. " The included ChangeLog gives a bit more detail on this. due to this direct importation of xdm code, it stands to reason that _any_ bug in xdm core code, will probably directly affect wdm in the same way. Additionally, as it seems WDM releases are not regularly updated with xdm code, wdm may even be worse-off than a up-to-date version of xdm.
OK. I completely agree with you on this, and I suppose that wdm includes the same bugs than gdm and other stuff based on xdm. Since I'm not wdm's maintainer anymore because of lack of time I can't correct the problem (my latest version was 1.20, the latest published to date). However I've forwarded the first announcement in bugtraq about gdm to wdm's new maintainer, Greg Youngblood <greg () tcscs com> the same day it was posted on bugtraq, because I thought that wdm may suffer from the same problems. I've also posted a message in wdm's mailing list about the very old xdm code used in wdm and the fact that we should probably upgrade to the xdm from XFree 4.0 or something, and I CC this message to this list as well. Concerning wdm I want to make a new security announcement for bugtraq: please upgrade to 1.20, some problems with device permissions not being set correctly were (I hope) corrected. one more: The 1.19 version included in Debian has a security problem if you modify the default wdm-config file to use the new default user and password feature: the file should be owned by root and be given a mode of 0600, as stated in the manpages, but the Debian installation makes it world readable. That's not a problem if you don't use the default user and password feature (default installation). Debian developpers in charge of wdm were mailed as soon as I've detected the problem, months ago, but wdm in Debian potato is still in 1.19 thank you for reading. Jerome Alet
Current thread:
- Re: local root on linux 2.2.15, (continued)
- Re: local root on linux 2.2.15 Rogier Wolff (Jun 08)
- Re: local root on linux 2.2.15 Tollef Fog Heen (Jun 11)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
- Re: local root on linux 2.2.15 Robert Watson (Jun 18)
- Net Tools PKI server exploits Jim Stickley (Jun 19)
- XFree86: libICE DoS Chris Evans (Jun 19)
- XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
- XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)
- XFree86: xdm xdmcp code in wdm also Brian Russo (Jun 20)
- Re: XFree86: xdm xdmcp code in wdm also Jerome ALET (Jun 20)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Problems with "kon2" package Chris Evans (Jun 19)
- [TL-Security-Announce] Linux Kernel TLSA2000013-1 Roger Luethi (Jun 19)
- Re: [TL-Security-Announce] Linux Kernel TLSA2000013-1 Gregory Neil Shapiro (Jun 28)
- CERT Advisory CA-2000-12 Roman Drahtmueller (Jun 19)
- Re: local root on linux 2.2.15 Joseph Gooch (Jun 15)
- Conectiva Linux Security Announcement - ZOPE Sergio Bruder (Jun 16)