Light Display Manager

XDMCP Request packet with no addresses crashes LightDM

Bug #1516831 reported by Robert Ancell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Critical
Robert Ancell
Light Display Manager 1.17.2
1.14
Fix Released
Critical
Robert Ancell
Light Display Manager 1.14.4
1.16
Fix Released
Critical
Robert Ancell
Light Display Manager 1.16.6
lightdm (Ubuntu)
Fix Released
Critical
Robert Ancell
Vivid
Fix Released
Critical
Robert Ancell
Wily
Fix Released
Critical
Robert Ancell

Bug Description

[Impact]
If LightDM receives an XDMCP Request packet with no addresses then it will attempt to access a negative index into an array and crash. This only occurs if the XDMCP server is enabled.

[Test Case]
1. Enable XDMCP in lightdm.conf:
[XDMCPServer]
enabled=true
2. Start LightDM
3. Send an XDMCP Request without an empty addresses field (valid XDMCP servers do not send this).

Expected result:
The request is ignored.

Observed result:
LightDM crashes.

See original description
Robert Ancell (robert-ancell)
Changed in lightdm:
status: In Progress → Fix Committed
Robert Ancell (robert-ancell)
description: updated
Robert Ancell (robert-ancell)
Changed in lightdm:
milestone: none → 1.17.2
no longer affects: lightdm/1.2
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Caused bu the change in bug 1481561

Revision history for this message
Chris J Arges (arges) wrote :

lightdm looked ready to release in vivid, but I encountered this bug when looking through the comments. I marked bug 1481561 'verification-failed' in response to your comment. Please mark the bug 'verification-done-vivid' if lightdm in vivid-proposed should still be released with any appropriate commentary.
Thanks,

Robert Ancell (robert-ancell)
Changed in lightdm:
status: Fix Committed → Fix Released
description: updated
Robert Ancell (robert-ancell)
no longer affects: lightdm/1.10
Revision history for this message
Yves-Alexis Perez (corsac) wrote :

Was a CVE assigned to this? Do you want me to request one?

Revision history for this message
Robert Ancell (robert-ancell) wrote :

It wasn't - you're welcome to do one.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Affected stable versions: 1.14.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

The way I found this was by testing the SRU in vivid - for some reason the X server was sending Request packets with a addresses field empty. Other Ubuntu releases are not doing this. I haven't yet investigated if why it was doing this.

Changed in lightdm (Ubuntu):
status: New → Fix Committed
Changed in lightdm (Ubuntu Wily):
status: New → Fix Committed
Changed in lightdm (Ubuntu):
importance: Undecided → Critical
Changed in lightdm (Ubuntu Wily):
importance: Undecided → Critical
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Robert, or anyone else affected,

Accepted lightdm into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.16.6-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Robert, or anyone else affected,

Accepted lightdm into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.14.4-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Critical
status: New → Fix Committed
status: Fix Committed → Triaged
status: Triaged → Fix Committed
Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
Robert Ancell (robert-ancell)
tags: added: verification-done-vivid verification-done-wily
removed: verification-needed
Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Vivid):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Wily):
assignee: nobody → Robert Ancell (robert-ancell)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.16.6-0ubuntu1

---------------
lightdm (1.16.6-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 15:46:15 +1300

Changed in lightdm (Ubuntu Wily):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.14.4-0ubuntu1

---------------
lightdm (1.14.4-0ubuntu1) vivid; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:01:15 +1300

Changed in lightdm (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.