FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libXdmcp -- insufficient entropy generating session keys

Affected packages
libXdmcp < 1.1.3


VuXML ID 1b6a10e9-4b7b-11e9-9e89-54e1ad3d6335
Discovery 2017-04-04
Entry 2019-03-21
Modified 2019-03-22

The freedesktop and project reports:

It was discovered that libXdmcp before 1.1.3 used weak entropy to generate session keys on platforms without arc4random_buf() but with getentropy(). On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.

Please note, that since FreeBSD provides arc4random_buf(), it is unknown if FreeBSD is affected by this vulnerability


CVE Name CVE-2017-2625