Secure testing team - Mar 2008 - #469462: X access wide open on LTSP clients

debian bug #469462 is a nasty security bug which allows anyone knowing
the ip address and display number to read or send keystrokes, mouse
clicks, X clients, etc. to LTSP clients logged in using LDM.

due to slow buildd''s, it has been quite some time since ldm has
migrated
from unstable to testing (mainly mips*, though others as well).

because of that, the version of ldm in testing is basically incompatible
with the version of ltsp in testing (scripts to run ldm from ltsp were
moved from the ltsp-client-core package into ldm itself), so simply
patching the version of ldm in testing for security only issues would
not really be particularly useful.

so i''m wondering what the options are for getting a fixed ldm package
into testing.

thanks!

live well,
  vagrant

Hi vagrant,
* vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-11
21:13]:
> due to slow buildd''s, it has been quite some time since ldm has
migrated
> from unstable to testing (mainly mips*, though others as well).
> 
> because of that, the version of ldm in testing is basically incompatible
> with the version of ltsp in testing (scripts to run ldm from ltsp were
> moved from the ltsp-client-core package into ldm itself), so simply
> patching the version of ldm in testing for security only issues would
> not really be particularly useful.
Sorry but I don''t get it. Why is it a problem to upload a 
patched version to testing that fixes this issue?
> so i''m wondering what the options are for getting a fixed ldm
package
> into testing.
The other option would be to ask Steve Langasek from the 
release team to bump the priority of ldm in the NEEDS-BUILD 
queues of these build daemons.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080311/51f47553/attachment.pgp

On Tue, Mar 11, 2008 at 09:38:17PM +0100, Nico Golde
wrote:
> * vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-11
21:13]:
> > due to slow buildd''s, it has been quite some time since ldm
has migrated
> > from unstable to testing (mainly mips*, though others as well).
> > 
> > because of that, the version of ldm in testing is basically
incompatible
> > with the version of ltsp in testing (scripts to run ldm from ltsp were
> > moved from the ltsp-client-core package into ldm itself), so simply
> > patching the version of ldm in testing for security only issues would
> > not really be particularly useful.
> 
> Sorry but I don''t get it. Why is it a problem to upload a 
> patched version to testing that fixes this issue?
sorry for not be clearer on that... i guess, strictly speaking, the
version of ldm in testing could be patched to fix the security bug.

a separate issue is that the code that actually starts ldm from ltsp is
missing, as in newer versions of ltsp and ldm it was moved from the ltsp
package into the ldm package itself, and a newer version of ltsp
migrated to testing, but a newer version of ldm hasn''t- so a security
fix is of questionable value here. that still sounds confusing... i
don''t know how else to say it... sorry.

it was my impression that bug fixes that weren''t strictly security
related weren''t allowed except through the normal channels, i.e.
unstable.
 
> > so i''m wondering what the options are for getting a fixed ldm
package
> > into testing.
> 
> The other option would be to ask Steve Langasek from the 
> release team to bump the priority of ldm in the NEEDS-BUILD 
> queues of these build daemons.
this seems like the best option, as it mostly seems like the buildd''s
are so slow for priority: extra packages. thanks for the suggestion.

live well,
  vagrant

Hi,
* vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-11
23:46]:
> On Tue, Mar 11, 2008 at 09:38:17PM +0100, Nico Golde wrote:
[...] 
> > The other option would be to ask Steve Langasek from the 
> > release team to bump the priority of ldm in the NEEDS-BUILD 
> > queues of these build daemons.
> 
> this seems like the best option, as it mostly seems like the
buildd''s
> are so slow for priority: extra packages. thanks for the suggestion.
Not sure if it was bumped yet but half of the archs seem to 
be installed now. Issuing a testing-security update would 
not be much faster so I guess we should stay with that until 
serious migration problems occur.

Btw, CVE-2008-1293 was assigned to this.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080312/df63caf2/attachment.pgp

Hi Nico,

On Wednesday 12 March 2008 23:20, Nico Golde wrote:
> Btw, CVE-2008-1293 was assigned to this.
Who assigned the ID? It''s still marked as RESERVED although the issue
has been
published for nearly two months..


cheers,

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080428/ea13397a/attachment.pgp

Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-04-28
12:32]:
> On Wednesday 12 March 2008 23:20, Nico Golde wrote:
> > Btw, CVE-2008-1293 was assigned to this.
> 
> Who assigned the ID? It''s still marked as RESERVED although the
issue has been
> published for nearly two months..
It was assigned by mitre via oss-security. Just poked Steven 
again if it''s still on purpose on RESERVED.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080428/bda0df46/attachment.pgp