Debian Bug report logs -
#526678
Passes magic cookie insecurity
Reported by: Loïc Minier <lool@dooz.org>
Date: Sat, 2 May 2009 16:21:01 UTC
Severity: normal
Tags: security
Found in version xorg-server/2:1.6.1-1
Fixed in version xorg-server/2:1.6.1.901-3
Done: Julien Cristau <jcristau@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#526678; Package xvfb.
(Sat, 02 May 2009 16:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Loïc Minier <lool@dooz.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>.
(Sat, 02 May 2009 16:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xvfb
Version: 2:1.6.1-1
Severity: normal
File: /usr/bin/xvfb-run
Tags: security
Hi
xvfb-run does:
# Start Xvfb.
MCOOKIE=$(mcookie)
XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
>"$ERRORFILE" 2>&1
which is insecure as the MCOOKIE value can be seen for a split second
in the list of processes.
I think "xauth source -" or a similar construct should be used.
Bye
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xvfb depends on:
ii libaudit0 1.7.13-1 Dynamic library for security audit
ii libc6 2.9-9 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libfontenc1 1:1.0.4-3 X11 font encoding library
ii libgcrypt11 1.4.4-2 LGPL Crypto library - runtime libr
ii libhal1 0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii libpixman-1- 0.14.0-1 pixel-manipulation library for X a
ii libselinux1 2.0.71-1 SELinux shared libraries
ii libxau6 1:1.0.4-2 X11 authorisation library
ii libxdmcp6 1:1.0.2-3 X11 Display Manager Control Protoc
ii libxfont1 1:1.4.0-1 X11 font rasterisation library
ii xserver-comm 2:1.6.1-1 common files used by various X ser
Versions of packages xvfb recommends:
ii xauth 1:1.0.3-2 X authentication utility
ii xfonts-base 1:1.0.0-6 standard fonts for X
xvfb suggests no packages.
-- no debconf information
--
Loïc Minier
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#526678; Package xvfb.
(Thu, 14 May 2009 19:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(Thu, 14 May 2009 19:06:05 GMT) (full text, mbox, link).
Message #10 received at 526678@bugs.debian.org (full text, mbox, reply):
On Sat, May 2, 2009 at 17:57:24 +0200, Loïc Minier wrote:
> # Start Xvfb.
> MCOOKIE=$(mcookie)
> XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
> >"$ERRORFILE" 2>&1
>
> which is insecure as the MCOOKIE value can be seen for a split second
> in the list of processes.
>
> I think "xauth source -" or a similar construct should be used.
>
Can I get another pair of eyes before I commit this?
Also I don't quite like the fact that we use /tmp/xvfb-run.$$ as a temp
dir instead of using something like 'mktemp -t -d xvfb-run.XXXXXX'.
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
# Start Xvfb.
MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
- >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
2>&1 &
XVFBPID=$!
Cheers,
Julien
Tags added: pending
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Thu, 14 May 2009 22:00:02 GMT) (full text, mbox, link).
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Tue, 23 Jun 2009 18:30:05 GMT) (full text, mbox, link).
Notification sent
to Loïc Minier <lool@dooz.org>:
Bug acknowledged by developer.
(Tue, 23 Jun 2009 18:30:06 GMT) (full text, mbox, link).
Message #17 received at 526678-close@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Source-Version: 2:1.6.1.901-3
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:
xdmx-tools_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xdmx-tools_1.6.1.901-3_i386.deb
xdmx_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xdmx_1.6.1.901-3_i386.deb
xnest_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xnest_1.6.1.901-3_i386.deb
xorg-server_1.6.1.901-3.diff.gz
to pool/main/x/xorg-server/xorg-server_1.6.1.901-3.diff.gz
xorg-server_1.6.1.901-3.dsc
to pool/main/x/xorg-server/xorg-server_1.6.1.901-3.dsc
xserver-common_1.6.1.901-3_all.deb
to pool/main/x/xorg-server/xserver-common_1.6.1.901-3_all.deb
xserver-xephyr_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xserver-xephyr_1.6.1.901-3_i386.deb
xserver-xfbdev_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xserver-xfbdev_1.6.1.901-3_i386.deb
xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
xserver-xorg-core_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core_1.6.1.901-3_i386.deb
xserver-xorg-dev_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xserver-xorg-dev_1.6.1.901-3_i386.deb
xvfb_1.6.1.901-3_i386.deb
to pool/main/x/xorg-server/xvfb_1.6.1.901-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 23 Jun 2009 19:52:10 +0200
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-xfbdev xserver-xorg-core-dbg xserver-common
Architecture: source all i386
Version: 2:1.6.1.901-3
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
xdmx - distributed multihead X server
xdmx-tools - Distributed Multihead X tools
xnest - Nested X server
xserver-common - common files used by various X servers
xserver-xephyr - nested X server
xserver-xfbdev - Linux framebuffer device tiny X server
xserver-xorg-core - Xorg X server - core server
xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
xserver-xorg-dev - Xorg X server - development files
xvfb - Virtual Framebuffer 'fake' X server
Closes: 508476 526678
Changes:
xorg-server (2:1.6.1.901-3) unstable; urgency=low
.
[ Julien Cristau ]
* xvfb-run: don't pass the magic cookie to xauth on the command line
(CVE-2009-1573; closes: #526678). Thanks, Loïc Minier!
* xvfb-run: use mktemp to create the temporary directory.
* Change default for ExaOptimizeMigration to false. This option still
causes visual corruption in some cases. Thanks, Michel Dänzer!
* Only include hal info for keyboards, mice, touchpads and tablets in the
bug script.
* In the bug script, grep dmesg for agp in addition to drm.
* Add patch stolen from Fedora to disable the fbdev driver when it's loaded
together with a PCI or SBUS driver, instead of calling FatalError (closes:
#508476).
* Add patch stolen from Fedora to try and detect the primary PCI device by
mapping the legacy VGA bios and comparing the vendor and device ids.
Previously if there was more than one VGA device and the config didn't
specify BusIDs, the server would just fail to start, so this hack should
improve things.
* Update configure options:
+ use --enable-xvfb instead of --enable-vfb
+ drop --disable-builtin-fonts, --enable-xtrap, --disable-kdrive-vesa,
--disable-lbx, --disable-xprint, --disable-xorgconfig, --disable-xorgcfg
which don't exist anymore
+ use --disable-config-hal and --disable-dri on hurd-i386
+ reorder options to match configure.ac, and use explicit
--enable/--disable instead of using the defaults / autodetection
* Don't recommend xfonts-base. libXfont provides builtin versions of the
fixed and cursor fonts, which are the only required ones. Keep xfonts-*
packages in Suggests for xserver-xorg-core.
* Bump Standards-Version to 3.8.2 now that we have README.source.
* Drop Build-Conflicts on xlibs-static-dev; it's only in oldstable at this
point.
* Pull from upstream server-1.6-branch as of June 23rd (commit dbac41b).
* Bump build-dep on dri2proto to 2.1 for new protocol.
* Bump build-dep on libselinux1-dev to 2.0.80 for avc_netlink_acquire_fd.
.
[ David Nusinow ]
* Add README.source
Checksums-Sha1:
259115805767312e0f1d6005723bfca10f7ddc99 3204 xorg-server_1.6.1.901-3.dsc
7c5e6da1988058b1c910f7faa03efa1cfe771fc3 97042 xorg-server_1.6.1.901-3.diff.gz
544f1da97d8c1b8e8fee7dc7cc7b690cf146c372 50778 xserver-common_1.6.1.901-3_all.deb
aa6145172ca2d81a92498a3ce748a4304da78a56 2166936 xserver-xorg-core_1.6.1.901-3_i386.deb
7a4aa5cbeabc73781fd160f1621db8ebb2bdeaa3 980812 xserver-xorg-dev_1.6.1.901-3_i386.deb
16c4711be1deb0f87a6c2abe1db134fe4527e265 1479550 xdmx_1.6.1.901-3_i386.deb
644d3642409e285baea3c3a6525daf9583bb1c79 798950 xdmx-tools_1.6.1.901-3_i386.deb
b01cf1a6330629076707a3dc1befdb1fbcfc7b8b 1387350 xnest_1.6.1.901-3_i386.deb
c9afd9f1f3cad142cc61e22994702ee476bf7479 1496816 xvfb_1.6.1.901-3_i386.deb
f754c3bb301252d037d8d79ac6a26d6d475cc1e8 1569520 xserver-xephyr_1.6.1.901-3_i386.deb
67bf96562b8ee21a2ef65ba5c5204b4b5937d318 1521140 xserver-xfbdev_1.6.1.901-3_i386.deb
bc9857851e49138ceec1496834b75031e8a029fd 6122726 xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
Checksums-Sha256:
157f674679e92145a7d5b19859111ffa309f18ef76c48d377057bcac7d9e19d1 3204 xorg-server_1.6.1.901-3.dsc
4f6fc25ab2c318d98c5e68bb7652f1fc28032987e6025e4737329f2b2da2acc2 97042 xorg-server_1.6.1.901-3.diff.gz
cfe75e625ac04816849b2210327c32cc56b374d93280346006747fa2d560bd88 50778 xserver-common_1.6.1.901-3_all.deb
2e5260a3cd9d88d4c65ca002f044470fac5780dcd9e0a1e0e9a5069245c88ff1 2166936 xserver-xorg-core_1.6.1.901-3_i386.deb
6609b2cf6a8eedbc1f4f63aafce453a80ef1a9790fa0c6e2dd9aa401e4b58449 980812 xserver-xorg-dev_1.6.1.901-3_i386.deb
0bdc6500de6343baea445acfc620baa109e146fe441b3dfa3e2293f19ec40b37 1479550 xdmx_1.6.1.901-3_i386.deb
b08696601bb7b3b46f4a8fbe82003fe5d4e9553efff7ca5ac9922d8c08bc0c9c 798950 xdmx-tools_1.6.1.901-3_i386.deb
fd1a5229109985d6e1bf714ea99528076f1e979740ce2b1f67eba8706410d2f6 1387350 xnest_1.6.1.901-3_i386.deb
2f324ff3cb29ad535d6cc955b4b82059c6a6649dc9f0a4f09c8ac71bf83a018d 1496816 xvfb_1.6.1.901-3_i386.deb
2af1812c255deb49010d3ad187b4dad24c742ebe3b7b34cae60a700ae8a40cb9 1569520 xserver-xephyr_1.6.1.901-3_i386.deb
7208db871d9ef90df71bd50df318d2a60d1f043fdaae9604fde6ace19237c36d 1521140 xserver-xfbdev_1.6.1.901-3_i386.deb
4fd691c550a72291937ce34d4943e9fa10b072736f6e72839196d6c888be14f7 6122726 xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
Files:
32db857aba7a30bb5962c506a5d1e413 3204 x11 optional xorg-server_1.6.1.901-3.dsc
d3e8ea9086b72ed899469511555837be 97042 x11 optional xorg-server_1.6.1.901-3.diff.gz
cf77d53ad16398d1e1bdbfc456b232f6 50778 x11 optional xserver-common_1.6.1.901-3_all.deb
078080f218d96994bb4facc4a31bf0fe 2166936 x11 optional xserver-xorg-core_1.6.1.901-3_i386.deb
de758b8eda9f131b692b7533c72b7d28 980812 x11 optional xserver-xorg-dev_1.6.1.901-3_i386.deb
74fa94aa4eb5be1d7b941c9437e04c37 1479550 x11 optional xdmx_1.6.1.901-3_i386.deb
2659971fd14095f16b0e092f748d163f 798950 x11 optional xdmx-tools_1.6.1.901-3_i386.deb
96ebd29110f1c5af33f061a2c669b879 1387350 x11 optional xnest_1.6.1.901-3_i386.deb
ea2ee66487325922b269a61d4edad82b 1496816 x11 optional xvfb_1.6.1.901-3_i386.deb
fbb5766b0f18b596c11e3cdf97d73509 1569520 x11 optional xserver-xephyr_1.6.1.901-3_i386.deb
5d824e782968a87a2c1f3e24edf34869 1521140 x11 optional xserver-xfbdev_1.6.1.901-3_i386.deb
291747ba266d28a5878e94979b09fb60 6122726 debug extra xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpBGOIACgkQmEvTgKxfcAyJegCgkLDKb0ZNXvHAc1lusJLRxhYv
81gAoMkQz9IzagPkKgKsC6E8xagYVy0K
=IQrI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 25 Jul 2009 07:36:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:48:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon