>Number:         25655
>Category:       xsrc
>Synopsis:       xdm opens random chooser ports
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 20 23:39:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Steve Rumble
>Release:        2.0 BETA
>Organization:
>Environment:
NetBSD t23.ephemeral.org 2.0_BETA NetBSD 2.0_BETA (GENERIC) #0: Thu May 13 04:56:30 UTC 2004 autobuild@tgm.netbsd.org:/autobuild/netbsd-2-0/i386/OBJ/autobuild/netbsd-2-0/src/sys/arch/i386/compile/GENERIC i386
>Description:
Due to an apparent oversight while refactoring xdm, the DisplayManager.requestPort variable is no longer checked before opening a listen socket. Thus, xdm always opens either an IPv6 or IPv4 listen on a random high port on all interfaces regardless of the configuration options used. This is a potential security risk.
>How-To-Repeat:
Run a recent xdm and try `fstat |grep xdm |grep internet`.
>Fix:
A patch was submitted to XFree86.org and was committed to HEAD (http://www.mail-archive.com/cvs-commit@xfree86.org/msg03661.html). A patch against -current NetBSD xsrc is provided below. This should probably be pulled up to 2.0.

Index: socket.c
===================================================================
RCS file: /cvsroot/xsrc/xfree/xc/programs/xdm/socket.c,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 socket.c
--- socket.c    5 Mar 2004 14:27:08 -0000       1.1.1.6
+++ socket.c    20 May 2004 01:33:52 -0000
@@ -66,6 +66,9 @@
     char *name = localHostname ();
     registerHostname (name, strlen (name));
 
+    if (request_port == 0)
+       return;
+    
 #if defined(IPv6) && defined(AF_INET6)
     chooserFd = socket (AF_INET6, SOCK_STREAM, 0);
 #else
>Release-Note:
>Audit-Trail:
>Unformatted: