sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Debian Bug report logs - #973748
sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Wed, 04 Nov 2020 13:52:12 +0100

Source: sddm
Version: 0.18.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for sddm.

CVE-2020-28049[0]:
| local privilege escalation due to race condition in creation of the
| Xauthority file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28049
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28049
[1] https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222
[2] https://bugzilla.suse.com/show_bug.cgi?id=1177201
[3] https://www.openwall.com/lists/oss-security/2020/11/04/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 973748@bugs.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Wed, 4 Nov 2020 16:19:58 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Wed, Nov 04, 2020 at 01:52:12PM +0100, Salvatore Bonaccorso wrote:
> Source: sddm
> Version: 0.18.1-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for sddm.
> 
> CVE-2020-28049[0]:
> | local privilege escalation due to race condition in creation of the
> | Xauthority file
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2020-28049
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28049
> [1] https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222
> [2] https://bugzilla.suse.com/show_bug.cgi?id=1177201
> [3] https://www.openwall.com/lists/oss-security/2020/11/04/2

Attached the debdiff as to be used for the buster-security update.

Regards,
Salvatore

[sddm_0.18.0-1+deb10u1.debdiff (text/plain, attachment)]

Message #17 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <norbert@preining.info>

To: Salvatore Bonaccorso <carnil@debian.org>, 973748@bugs.debian.org, Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 20:26:07 +0900

Hi Salvatore, hi FTP Master,

@Salvatore: thanks for the NMU preparation. We are now preparing a fix
for unstable via version 0.19, and at the same time I thought I upload
to buster-security, based on your patch,

But, uploading to security-master with dput I got the following answer:

On Thu, 05 Nov 2020, Debian FTP Masters wrote:
> sddm_0.18.0-1+deb10u1.dsc: Does not match file already existing in the pool.

Do you or ftpmaster could explain me what I did wrong?

The included files are
Checksums-Sha1:
 f8d882dbf4cf377fa0c7a4277a56b7f7c25e2a64 2334 sddm_0.18.0-1+deb10u1.dsc
 a33d316b613a52b2af435c3516ed9abac7ea34d5 52864 sddm_0.18.0-1+deb10u1.debian.tar.xz
 5ed47e94dc64af78fe960358b8b009afb840e16a 13613 sddm_0.18.0-1+deb10u1_source.buildinfo
and the upload was a source-only to Distribution: buster-security.

Thanks

Norbert

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Message #22 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Norbert Preining <norbert@preining.info>

Cc: 973748@bugs.debian.org, Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 12:43:27 +0100

Hi Norbert,

On Thu, Nov 05, 2020 at 08:26:07PM +0900, Norbert Preining wrote:
> Hi Salvatore, hi FTP Master,
> 
> @Salvatore: thanks for the NMU preparation. We are now preparing a fix
> for unstable via version 0.19, and at the same time I thought I upload
> to buster-security, based on your patch,
> 
> But, uploading to security-master with dput I got the following answer:
> 
> On Thu, 05 Nov 2020, Debian FTP Masters wrote:
> > sddm_0.18.0-1+deb10u1.dsc: Does not match file already existing in the pool.
> 
> Do you or ftpmaster could explain me what I did wrong?
> 
> The included files are
> Checksums-Sha1:
>  f8d882dbf4cf377fa0c7a4277a56b7f7c25e2a64 2334 sddm_0.18.0-1+deb10u1.dsc
>  a33d316b613a52b2af435c3516ed9abac7ea34d5 52864 sddm_0.18.0-1+deb10u1.debian.tar.xz
>  5ed47e94dc64af78fe960358b8b009afb840e16a 13613 sddm_0.18.0-1+deb10u1_source.buildinfo
> and the upload was a source-only to Distribution: buster-security.

That is because I did already upload the upload yesterday as with the
debdiff attached to the bugreport. But we (Moritz was testing as well)
wanted to further test the upload first before releasing the DSA.

Fixing this via unstable via directly 0.19 sounds great, thank you.

Regards,
Salvatore

Message #27 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <norbert@preining.info>

To: Salvatore Bonaccorso <carnil@debian.org>, 973748@bugs.debian.org

Cc: Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 20:55:40 +0900

Hi Salvatore,

> That is because I did already upload the upload yesterday as with the
> debdiff attached to the bugreport. But we (Moritz was testing as well)
> wanted to further test the upload first before releasing the DSA.

Ahhhh .... ok, that explains it. Didn't see any message about it, so I
guessed you were waiting for us. I also didn't see anything on
tracker.debian.org, so I thought I will do it ...

Is there anything regarding buster that is still necessary?

> Fixing this via unstable via directly 0.19 sounds great, thank you.

That is coming in in short time.

Thanks

Norbert

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Message #32 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Norbert Preining <norbert@preining.info>

Cc: 973748@bugs.debian.org, Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 13:07:19 +0100

[Message part 1 (text/plain, inline)]

Hi Norbert,

On Thu, Nov 05, 2020 at 08:55:40PM +0900, Norbert Preining wrote:
> Hi Salvatore,
> 
> > That is because I did already upload the upload yesterday as with the
> > debdiff attached to the bugreport. But we (Moritz was testing as well)
> > wanted to further test the upload first before releasing the DSA.
> 
> Ahhhh .... ok, that explains it. Didn't see any message about it, so I
> guessed you were waiting for us. I also didn't see anything on
> tracker.debian.org, so I thought I will do it ...

Sorry this was badly formulated on my end then :(. The intention was
to day, this is the debdiff I just used for the upload. tracker.d.o
does not show it yet because the packages are sitting in the embargoed
policy queue on security-master so not yet pushed out to the archive.
I will do it this afternoon or tonight the latest once I got test
feedback from Moritz as well.

> Is there anything regarding buster that is still necessary?

No not for buster-security. But I can provide you the two commits for
the packaging repo if you prefer that instead of importing the dsc.
They are attached.

> > Fixing this via unstable via directly 0.19 sounds great, thank you.
> 
> That is coming in in short time.

Thank you for your work on this update (and in general for the
package).

Regards,
Salvatore

[0001-Fix-X-not-having-access-control-on-startup-CVE-2020-.patch (text/x-diff, attachment)]

[0002-Prepare-changelog-for-release.patch (text/x-diff, attachment)]

Message #37 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Norbert Preining <norbert@preining.info>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 973748@bugs.debian.org, Debian FTP Masters <ftpmaster@ftp-master.debian.org>, dak@security.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 21:15:15 +0900

Hi Salvatore,

On Thu, 05 Nov 2020, Salvatore Bonaccorso wrote:
> to day, this is the debdiff I just used for the upload. tracker.d.o
> does not show it yet because the packages are sitting in the embargoed
> policy queue on security-master so not yet pushed out to the archive.

Ah, ok, didn't know that. Fine with me!

> No not for buster-security. But I can provide you the two commits for
> the packaging repo if you prefer that instead of importing the dsc.
> They are attached.

Thanks, that is great. I will trash my branch and make a new one based
on your commit. I wait with tagging until I see the package appear.

Best regards

Norbert

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

Message #42 received at 973748@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Norbert Preining <norbert@preining.info>, 973748@bugs.debian.org

Subject: Re: Bug#973748: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

Date: Thu, 5 Nov 2020 15:45:45 +0100

Hi Norbert,

On Thu, Nov 05, 2020 at 09:15:15PM +0900, Norbert Preining wrote:
> Hi Salvatore,
> 
> On Thu, 05 Nov 2020, Salvatore Bonaccorso wrote:
> > to day, this is the debdiff I just used for the upload. tracker.d.o
> > does not show it yet because the packages are sitting in the embargoed
> > policy queue on security-master so not yet pushed out to the archive.
> 
> Ah, ok, didn't know that. Fine with me!
> 
> > No not for buster-security. But I can provide you the two commits for
> > the packaging repo if you prefer that instead of importing the dsc.
> > They are attached.
> 
> Thanks, that is great. I will trash my branch and make a new one based
> on your commit. I wait with tagging until I see the package appear.

DSA 4783-1 released.

Regards,
Salvatore

Message #51 received at 973748-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 973748-submitter@bugs.debian.org

Subject: closing 973748

Date: Sat, 07 Nov 2020 10:59:17 +0100

close 973748 0.19.0-1
thanks

Message #56 received at 973748-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 973748-close@bugs.debian.org

Subject: Bug#973748: fixed in sddm 0.18.0-1+deb10u1

Date: Fri, 13 Nov 2020 11:03:37 +0000

Source: sddm
Source-Version: 0.18.0-1+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
sddm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973748@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sddm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Nov 2020 15:29:27 +0100
Source: sddm
Architecture: source
Version: 0.18.0-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 973748
Changes:
 sddm (0.18.0-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix X not having access control on startup (CVE-2020-28049)
     (Closes: #973748)
Checksums-Sha1: 
 6a6813f739dd6f78a3b4b358d85ca64ba5d57d33 2834 sddm_0.18.0-1+deb10u1.dsc
 d6b5dc3ec560acdfa3afb6e7a88d062b45378930 3526688 sddm_0.18.0.orig.tar.gz
 d7b2b8a20ec040be316fedb2f213249a339f1a2f 52856 sddm_0.18.0-1+deb10u1.debian.tar.xz
Checksums-Sha256: 
 4257601035f4a2c0a50afaf120e7d4fd1418aac2ef6b44d9497c52eab3a6eeec 2834 sddm_0.18.0-1+deb10u1.dsc
 9c50b6194f1b4dbf6e1a1b21f23c2c5e384871172985e192b91585986d38eec4 3526688 sddm_0.18.0.orig.tar.gz
 6e3a85f8af20d9b5f6a5b91ed2552f680ff964e6ba85ced3eb5659bee7522a54 52856 sddm_0.18.0-1+deb10u1.debian.tar.xz
Files: 
 17bef940125e17671ee5b7abd44be783 2834 kde optional sddm_0.18.0-1+deb10u1.dsc
 f8656aa61020c727b6925225fa681996 3526688 kde optional sddm_0.18.0.orig.tar.gz
 bd8ea261aacb78364696f0dfafd7d643 52856 kde optional sddm_0.18.0-1+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+ivGxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/qIP/RkmzS3V14XpjILPGJYs0fFqvii6l6AZ
d8I6u/KUdn4Q+6nZ5YGDLvNTqC8Q5/TcaaNSoJ3drxBB2lretIISLPGsweeNDPpk
ldccd97uvEUTRQAhquWppqJUbYaiYkTPvUeMArYGOuKnkimOGJXTgJ8ZWH05ziSb
xpXQmDHzkTren8OONCasvk5d83RKo7J6UelS/fhPIDPOb0wtBgbx3DIWvLNIMW/k
vTSUFf9VjAwas93AEIpBPoT3qkPt8gda3JBaMx7lptAia8FNO/7XT+oKHEjrKowS
8slTDM/noNjpankoicUBNAoBpsh5Fv6/Y8uVf8DyYx4mVFzzRDB7R3s4eZLEukDj
I5PpG8f2lavp3/OjCxs27pJ4pdUA3ZjKcpDDH99qp0V5DAzMBE+5/0CdPbxxY8Hb
Xmm/RR0/OwguRIwuUNytoTDJzUUJ4ZTwB2lkfOewnpaRaQNCuplh4AlMojRug2zV
YKc2mq6cCktVYUNLhiuWTsgBlAIFs37eatRnHBMhfO6k9Sfa7c9KJEAeTYnkjGrz
+YJR1/h4UPczsQYfcFnnZK5JGG483f095/NgruDhEKNKPKTLxJrulAkOv0Vy+Tz7
eJ/CBz6UgeMVaaJFMwNuFR8UFcW3UEZ4si1VqhwhIpzxY3wbXFovHNatsqsqvmrY
oSsdDiaEXnqi
=cFtB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.