Debian Security Advisory

DSA-1561-1 ldm -- programming error

Date Reported:
28 Apr 2008
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 469462.
In Mitre's CVE dictionary: CVE-2008-1293.
More information:

Christian Herzog discovered that within the Linux Terminal Server Project, it was possible to connect to X on any LTSP client from any host on the network, making client windows and keystrokes visible to that host.

NOTE: most ldm installs are likely to be in a chroot environment exported over NFS, and will not be upgraded merely by upgrading the server itself. For example, on the i386 architecture, to upgrade ldm will likely require:

    chroot /opt/ltsp/i386 apt-get update
    chroot /opt/ltsp/i386 apt-get dist-upgrade

For the stable distribution (etch), this problem has been fixed in version 0.99debian11+etch1.

For the unstable distribution (sid), this problem has been fixed in version 2:0.1~bzr20080308-1.

We recommend that you upgrade your ldm package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:

MD5 checksums of the listed files are available in the original advisory.