CVE-2013-2179

Publication date 27 December 2013

Last updated 24 July 2024

Ubuntu priority

X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing authentication using certain implementations of the crypt API function that can return NULL, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by attempting to log into an account whose password field contains invalid characters, as demonstrated using the crypt function from glibc 2.17 and later with (1) the "!" character in the salt portion of a password field or (2) a password that has been encrypted using DES or MD5 in FIPS-140 mode.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
xdm	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Ignored end of life

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

not affected on Debian/Ubuntu because of PAM

References

MITRE
NVD
Launchpad
Debian

Other references

http://www.openwall.com/lists/oss-security/2013/06/13
https://www.cve.org/CVERecord?id=CVE-2013-2179