CVE-2013-2179

NameCVE-2013-2179
DescriptionX.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing authentication using certain implementations of the crypt API function that can return NULL, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by attempting to log into an account whose password field contains invalid characters, as demonstrated using the crypt function from glibc 2.17 and later with (1) the "!" character in the salt portion of a password field or (2) a password that has been encrypted using DES or MD5 in FIPS-140 mode.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xdm (PTS)jessie1:1.1.11-1fixed
buster, bullseye, stretch, bookworm1:1.1.11-3fixed
sid, trixie1:1.1.11-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xdmsourcesqueeze(not affected)
xdmsourcewheezy(not affected)
xdmsource(unstable)(not affected)

Notes

- xdm <not-affected> (Not affected when PAM is used)
[squeeze] - xdm <not-affected> (same as above and glibc too old)
[wheezy] - xdm <not-affected> (same as above and glibc too old)
https://www.openwall.com/lists/oss-security/2013/06/11/5
Search for package or bug name: Reporting problems