desktop-packages team mailing list archive

[Launchpad Bug Tracker <1517685@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

[Impact]
An incorrectly configured XDMCP server will start without authentication instead of disabling XDMCP / stopping LightDM.

[Test Case]
1. Set up LightDM to run an XDMCP server using an XDM authentication key, i.e. in lightdm.conf:
[XDMCPServer]
enabled=true
key=key-name
2. Do not create /etc/lightdm/keys.conf or do not define 'key-name' in keys.conf.
3. Start LightDM
4. Connect XDMCP client.

Expected result:
Either LightDM doesn't start or the XDMCP server doesn't start.

Observed result:
XDMCP server starts without authentication, any XDMCP client is able to connect. Debug message printed to log warning about missing key, but not easy to spot.

[Regression Potential]
Low - change is to not start LightDM if this case occurs. This could affect someone who currently has a misconfigured LightDM. In this case a warning message is printed to the log.

** Affects: lightdm
     Importance: Medium
     Assignee: Robert Ancell (robert-ancell)
         Status: Fix Released

** Affects: lightdm/1.10
     Importance: Medium
     Assignee: Robert Ancell (robert-ancell)
         Status: Fix Released

** Affects: lightdm/1.14
     Importance: Medium
     Assignee: Robert Ancell (robert-ancell)
         Status: Fix Released

** Affects: lightdm/1.16
     Importance: Medium
     Assignee: Robert Ancell (robert-ancell)
         Status: Fix Released

** Affects: lightdm/1.2
     Importance: Medium
     Assignee: Robert Ancell (robert-ancell)
         Status: Fix Released

** Affects: lightdm (Ubuntu)
     Importance: Undecided
         Status: New

-- 
XDMCP server starts without authentication if configured key does not exist
https://bugs.launchpad.net/bugs/1517685
You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu.