CVE-2015-8316
published 2017-09-06CVE-2015-8316: Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a…
PriorityP426medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
1.75%
75.0th percentile
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | lightdm | < lightdm 1.16.6-1 (bookworm) | lightdm 1.16.6-1 (bookworm) |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | — | — |
| lightdm_project | lightdm | >= 0 < 1.16.6-1 | 1.16.6-1 |
| lightdm_project | lightdm | >= 0 < 1.16.6-1 | 1.16.6-1 |
| lightdm_project | lightdm | >= 0 < 1.16.6-1 | 1.16.6-1 |
| lightdm_project | lightdm | >= 0 < 1.16.6-1 | 1.16.6-1 |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4p4w-jwhc-qwjq: Array index error in LightDM (aka Light Display Manager) 1
ghsa_unreviewed·2022-05-17
CVE-2015-8316 [MEDIUM] CWE-129 GHSA-4p4w-jwhc-qwjq: Array index error in LightDM (aka Light Display Manager) 1
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
OSV
CVE-2015-8316: Array index error in LightDM (aka Light Display Manager) 1
osv·2017-09-06·CVSS 5.9
CVE-2015-8316 [MEDIUM] CVE-2015-8316: Array index error in LightDM (aka Light Display Manager) 1
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
Debian
CVE-2015-8316: lightdm - Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1...
vendor_debian·2015·CVSS 5.9
CVE-2015-8316 [MEDIUM] CVE-2015-8316: lightdm - Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1...
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
Scope: local
bookworm: resolved (fixed in 1.16.6-1)
bullseye: resolved (fixed in 1.16.6-1)
forky: resolved (fixed in 1.16.6-1)
sid: resolved (fixed in 1.16.6-1)
trixie: resolved (fixed in 1.16.6-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM [fedora-all]
bugzilla·2015-11-23·CVSS 5.9
CVE-2015-8316 [MEDIUM] CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM [fedora-all]
CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM
bugzilla·2015-11-23·CVSS 5.9
CVE-2015-8316 [MEDIUM] CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM
CVE-2015-8316 lightdm: XDMCP request packet with no addresses crashes LightDM
It was found that when XDMCP sercer is enabled and LightDM receives an XDMCP Request packet with no addresses, it will attempt to access a negative index into an array, causing denial of service.
CVE assignment:
http://seclists.org/oss-sec/2015/q4/352
Discussion:
Created lightdm tracking bugs for this issue:
Affects: fedora-all [bug 1284575]
---
per linked fedora bug,
According to the CVE_2015-8316 text, "some versions of LightDM (1.14 and 1.16 series) are vulnerable".
Fedora (and EPEL) ship lightdm-1.10.x, so it would appear we are safe, closing.
http://www.openwall.com/lists/oss-security/2015/11/22/1https://bugs.launchpad.net/lightdm/+bug/1516831https://bugzilla.redhat.com/show_bug.cgi?id=1284574http://www.openwall.com/lists/oss-security/2015/11/22/1https://bugs.launchpad.net/lightdm/+bug/1516831https://bugzilla.redhat.com/show_bug.cgi?id=1284574
2017-09-06
Published