[Pkg-ltsp-devel] Bug#469462: JFYI: #469462 ltsp: X access wide open on LTSP clients

Mon Mar 10 02:35:27 UTC 2008

On Sun, Mar 09, 2008 at 08:00:59AM -0700, vagrant at freegeek.org wrote:
> On Sun, Mar 09, 2008 at 02:52:01PM +0100, Moritz Muehlenhoff wrote:

> > Vagrant, since the ldm source package is not present in Etch, does
> > this not affect stable at all or has the code been moved between
> > packages?
> 
> the ldm package in etch is part of the ltsp source, and while i haven't
> verified it for sure, i believe it also is affected by the bug.

yes, i can confirm that the version of ldm (0.99debian11) in etch is
vulnerable.

> the ldm version in etch is implemented in python rather than C, so it
> will require a totally different patch.

applied this patch to the ltsp sources in etch, downloaded from:

http://ftp.de.debian.org/debian/pool/main/l/ltsp/ltsp_0.99debian11.dsc

--- client/ldm.orig	2008-03-09 22:15:23.000000000 -0400
+++ client/ldm	2008-03-09 22:15:34.000000000 -0400
@@ -63,7 +63,7 @@
         os.dup2(logfile.fileno(), sys.stderr.fileno())
 
         while True:
-            server_opts = ['-br', '-ac', '-noreset']
+            server_opts = ['-br', '-noreset']
             
             if self.use_xfs:
                 server_opts += ['-fp', self.fontpath]

i've tested that it prevents people from reading/writing to the X
display, and that ldm still can log in to the server.

note that, when making the security advisory, it may be good to mention
that mention that most ldm installs are likely to be in a chroot
environment (the chroot is exported over NFS), and will not be upgraded
merely by upgrading the server itself. for example, on i386, to upgrade
ldm will likely require:

  chroot /opt/ltsp/i386 apt-get update
  chroot /opt/ltsp/i386 apt-get dist-upgrade

if there is any additional assistance needed, please feel free to
contact pkg-ltsp-devel at lists.alioth.debian.org or make further comments
on the bug report, which will be forwarded to the list.

thanks!

live well,
  vagrant



