XDMCP Request packet with no addresses crashes LightDM

Bug #1516831 reported by Robert Ancell on 2015-11-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Critical
Robert Ancell
1.14
Critical
Robert Ancell
1.16
Critical
Robert Ancell
lightdm (Ubuntu)
Critical
Robert Ancell
Vivid
Critical
Robert Ancell
Wily
Critical
Robert Ancell

Bug Description

[Impact]
If LightDM receives an XDMCP Request packet with no addresses then it will attempt to access a negative index into an array and crash. This only occurs if the XDMCP server is enabled.

[Test Case]
1. Enable XDMCP in lightdm.conf:
[XDMCPServer]
enabled=true
2. Start LightDM
3. Send an XDMCP Request without an empty addresses field (valid XDMCP servers do not send this).

Expected result:
The request is ignored.

Observed result:
LightDM crashes.

Changed in lightdm:
status: In Progress → Fix Committed
description: updated
Changed in lightdm:
milestone: none → 1.17.2
no longer affects: lightdm/1.2
Robert Ancell (robert-ancell) wrote :

Caused bu the change in bug 1481561

Chris J Arges (arges) wrote :

lightdm looked ready to release in vivid, but I encountered this bug when looking through the comments. I marked bug 1481561 'verification-failed' in response to your comment. Please mark the bug 'verification-done-vivid' if lightdm in vivid-proposed should still be released with any appropriate commentary.
Thanks,

Changed in lightdm:
status: Fix Committed → Fix Released
description: updated
no longer affects: lightdm/1.10
Yves-Alexis Perez (corsac) wrote :

Was a CVE assigned to this? Do you want me to request one?

Robert Ancell (robert-ancell) wrote :

It wasn't - you're welcome to do one.

Robert Ancell (robert-ancell) wrote :

Affected stable versions: 1.14.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5.

Robert Ancell (robert-ancell) wrote :

The way I found this was by testing the SRU in vivid - for some reason the X server was sending Request packets with a addresses field empty. Other Ubuntu releases are not doing this. I haven't yet investigated if why it was doing this.

Changed in lightdm (Ubuntu):
status: New → Fix Committed
Changed in lightdm (Ubuntu Wily):
status: New → Fix Committed
Changed in lightdm (Ubuntu):
importance: Undecided → Critical
Changed in lightdm (Ubuntu Wily):
importance: Undecided → Critical

Hello Robert, or anyone else affected,

Accepted lightdm into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.16.6-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Hello Robert, or anyone else affected,

Accepted lightdm into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.14.4-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Critical
status: New → Fix Committed
status: Fix Committed → Triaged
status: Triaged → Fix Committed
Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
tags: added: verification-done-vivid verification-done-wily
removed: verification-needed
Changed in lightdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Vivid):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Wily):
assignee: nobody → Robert Ancell (robert-ancell)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.16.6-0ubuntu1

---------------
lightdm (1.16.6-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 15:46:15 +1300

Changed in lightdm (Ubuntu Wily):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.14.4-0ubuntu1

---------------
lightdm (1.14.4-0ubuntu1) vivid; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:01:15 +1300

Changed in lightdm (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers