[15404] in bugtraq
Re: XFree86: xdm xdmcp code in wdm also
daemon@ATHENA.MIT.EDU (Jerome ALET)
Tue Jun 20 16:23:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000620193516.C399@nordine.unice.fr>
Date: Tue, 20 Jun 2000 19:35:16 +0200
Reply-To: Jerome ALET <Jerome.Alet@UNICE.FR>
From: Jerome ALET <Jerome.Alet@UNICE.FR>
X-To: Brian Russo <brusso@phys.hawaii.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000620054210.B9364@uhhepr.phys.hawaii.edu>; from Brian Russo
on Tue, Jun 20, 2000 at 05:42:10AM -1000
On Tue, Jun 20, 2000 at 05:42:10AM -1000, Brian Russo wrote:
> wdm (wings display manager) - http://www.tcscs.com/wdm/, is
> basically xdm with WINGs handling the graphical elements.
>
> The bulk of the core code is directly pulled from xdm,
> indeed the tarball of version 1.20 I pulled from the above URL,
> included xdm-3.3.2 code in a tarball - although the above URL
> mentioned :
>
> " wdm-1.20 -- Feb 29, 2000
> ...
> corrected by replacing some xdm-3.3.2 code with xdm-3.3.6.
> I think all the xdm stuff definitely should be udpated [sic]
English is not my native language, sorry !
Of course in fact I wanted to write "updated", but english people
should prefer "upgraded" I suppose ?
> to the latest version. "
>
> The included ChangeLog gives a bit more detail on this.
>
> due to this direct importation of xdm code, it stands to
> reason that _any_ bug in xdm core code, will probably directly
> affect wdm in the same way.
>
> Additionally, as it seems WDM releases are not regularly
> updated with xdm code, wdm may even be worse-off than a up-to-date
> version of xdm.
OK.
I completely agree with you on this, and I suppose that wdm
includes the same bugs than gdm and other stuff based
on xdm.
Since I'm not wdm's maintainer anymore because of lack of time
I can't correct the problem (my latest version was 1.20, the latest
published to date).
However I've forwarded the first announcement in bugtraq about
gdm to wdm's new maintainer, Greg Youngblood <greg@tcscs.com>
the same day it was posted on bugtraq, because I thought that
wdm may suffer from the same problems.
I've also posted a message in wdm's mailing list about
the very old xdm code used in wdm and the fact that we
should probably upgrade to the xdm from XFree 4.0 or
something, and I CC this message to this list as well.
Concerning wdm I want to make a new security announcement
for bugtraq: please upgrade to 1.20, some problems
with device permissions not being set correctly were (I hope)
corrected.
one more:
The 1.19 version included in Debian has a security problem
if you modify the default wdm-config file to use the new
default user and password feature: the file should be
owned by root and be given a mode of 0600, as stated in
the manpages, but the Debian installation makes it world
readable. That's not a problem if you don't use the
default user and password feature (default installation).
Debian developpers in charge of wdm were mailed as soon
as I've detected the problem, months ago, but wdm
in Debian potato is still in 1.19
thank you for reading.
Jerome Alet
