COMMAND

    wdm

SYSTEMS AFFECTED

    those using wdm

PROBLEM

    wdm (wings display manager)  is basically xdm with  WINGs handling
    the graphical  elements.   The bulk  of the  core code is directly
    pulled  from  xdm,  indeed  the  tarball  of version 1.20 included
    xdm-3.3.2 code in a tarball - although the wdm URL mentioned:

        " wdm-1.20 -- Feb 29, 2000
        ...
        corrected by replacing some xdm-3.3.2 code with xdm-3.3.6. I think
        all the xdm stuff definitely should be udpated [sic] to the latest
        version. "

    The  included  ChangeLog  gives  a   bit  more  detail  on   this.
    Regardless, in ./wdm-1.20/xdm/xdmcp.c we find the same code:

           static char buf[256];
            XdmcpHeader header;
            ARRAY8      status;
        
            sprintf (buf, "Session %d failed for display %s: %s",
                     sessionID, name, reason);
            Debug ("Send failed %d %s\n", sessionID, buf);

    Due to this  direct importation of  xdm code, it  stands to reason
    that _any_  bug in  xdm core  code, will  probably directly affect
    wdm in the same way.   Additionally, as it seems WDM releases  are
    not regularly  updated with  xdm code,  wdm may  even be worse-off
    than a up-to-date version of xdm.

    wdm includes the same bugs than gdm and other stuff based on  xdm.
    The 1.19 version included in Debian has a security problem if  you
    modify the  default wdm-config  file to  use the  new default user
    and password  feature: the  file should  be owned  by root  and be
    given a mode of  0600, as stated in  the manpages, but the  Debian
    installation makes it world readable.  That's not a problem if you
    don't  use  the  default   user  and  password  feature   (default
    installation).

SOLUTION

    Everything in wdm  world is reflections  by xdm world.  You should
    upgrade to 1.20  wait for patches  (wdm in Debian  potato is still
    in 1.19).