COMMAND

    xdm

SYSTEMS AFFECTED

    System running old XMD

PROBLEM

    Two  widely  used  X  Window  System  authorization  schemes  have
    weaknesses in the sample  implementation.  These weaknesses  could
    allow unauthorized remote users to  connect to X displays and  are
    present in X11  Release 6 and  earlier releases of  the X11 sample
    implementation.

    On systems  on which  xdm is  built without  the HasXdmAuth config
    option,  the  MIT-MAGIC-COOKIE-1  key  generated  by  xdm  may  be
    guessable.   If  you  use  MIT-MAGIC-COOKIE-1  to  authenticate  X
    connections, and your keys are generated by xdm, and xdm does  not
    also support XDM-AUTHORIZATION-1  authentication (that is,  your X
    tree was not built with the HasXdmAuth config option), you may  be
    at risk.

    On systems with poor pseudo-random number generators, the key  may
    be  guessable  by  remote  users.   On  other  systems, users with
    access to the  file system where  xdm stores its  keys for use  by
    local servers may  be able to  use information in  the file system
    to guess the key.

    If your  xdm program  was built  with HasXdmAuth  set to  YES (the
    compiler   command   line   includes   the   -DHASXDMAUTH   flag),
    MIT-MAGIC-COOKIE-1 keys generated by  xdm are not vulnerable;  the
    DES code is used to generate cryptographically secure keys.

SOLUTION

    Install a vendor supplied patch if available.

    Patches for AIX  3.2 and AIX  4.1 are available  now via anonymous
    FTP from software.watson.ibm.com/pub/aix/xdm.

        AIX 3.2  xdm.325
        AIX 4.1  xdm.41

    Please replace your /usr/bin/X11/xdm with these versions.

    Official  fixes  will  be  available  under  the  following   APAR
    numbers:

        AIX 3.2  IX54679
        AIX 4.1  IX54680