Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)

2006-12-07 Thread Jamey Sharp
forwarded 401956 https://bugs.freedesktop.org/show_bug.cgi?id=8699
tags 401956 + upstream fixed-upstream fixed-in-experimental
thanks

This is upstream bug #8699, fixed in libX11 1.1-RC2 and later with this
commit:

http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=commitdiff_plain;h=686bb8b35acf6cecae80fe89b2b5853f5816ce19

According to the upstream bug report, it has been assigned
CVE-2006-5397.

I'd have thought this would be severity 'grave', but I'm not about to
override an RM's opinion. :-) I do think the patch should be included in
etch though: it merely deletes one obviously-wrong line.

--Jamey


signature.asc
Description: Digital signature


Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)

2006-12-07 Thread Julien Cristau
On Thu, Dec  7, 2006 at 10:31:45 -0800, Jamey Sharp wrote:

 forwarded 401956 https://bugs.freedesktop.org/show_bug.cgi?id=8699
 tags 401956 + upstream fixed-upstream fixed-in-experimental
 thanks
 
 This is upstream bug #8699, fixed in libX11 1.1-RC2 and later with this
 commit:
   
 http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=commitdiff_plain;h=686bb8b35acf6cecae80fe89b2b5853f5816ce19
 
 According to the upstream bug report, it has been assigned
 CVE-2006-5397.
 
This was fixed in libx11 2:1.0.3-3 (#398460).

Cheers,
Julien


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)

2006-12-07 Thread Julien Cristau
On Thu, Dec  7, 2006 at 20:32:29 +0100, Julien Cristau wrote:

 On Thu, Dec  7, 2006 at 10:31:45 -0800, Jamey Sharp wrote:
 
  forwarded 401956 https://bugs.freedesktop.org/show_bug.cgi?id=8699
  tags 401956 + upstream fixed-upstream fixed-in-experimental
  thanks
  
  This is upstream bug #8699, fixed in libX11 1.1-RC2 and later with this
  commit:
  
  http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=commitdiff_plain;h=686bb8b35acf6cecae80fe89b2b5853f5816ce19
  
  According to the upstream bug report, it has been assigned
  CVE-2006-5397.
  
 This was fixed in libx11 2:1.0.3-3 (#398460).
 
However, I just noticed a similar bug related to Compose file parsing:
https://bugs.freedesktop.org/show_bug.cgi?id=9279

Cheers,
Julien


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)

2006-12-06 Thread Marc Lehmann
Package: libx11-6
Version: 2:1.0.3-4
Severity: critical
Tags: security
Justification: root security hole


First of all, I tagged this bug as critical because the description in
reportbug fit, but as the issue is relatively harmless and not directly
caused by libx11, feel free to reprioritise, I will know in the future. I
hope I did the right thing. Thanks - and possibly sorry!

Anyways, libx11 leaks the contents of .XCompose to subprocess, because it
does not close the file descriptor nor does it set the cloexec flag on the
filehandle. Such leaks are usually very pervasive as few programs care for
fds they did not open.

For example, under a urxvtd terminal window running bash:

   cerebro ~# ls -l /proc/self/fd
   total 5
   lrwx-- 1 root root 64 Dec  7 00:26 0 - /dev/pts/6
   lrwx-- 1 root root 64 Dec  7 00:26 1 - /dev/pts/6
   lrwx-- 1 root root 64 Dec  7 00:26 2 - /dev/pts/6
   lr-x-- 1 root root 64 Dec  7 00:26 3 - /proc/5984/fd
   lr-x-- 1 root root 64 Dec  7 00:26 10 - /localvol/root/.XCompose

from an xterm started from the above window, using bash:

   lr-x-- 1 root root 64 Dec  7 00:11 5 - /localvol/root/.XCompose
   lr-x-- 1 root root 64 Dec  7 00:11 10 - /localvol/root/.XCompose

and so on, I get one .XCompose fd per nesting level.

from su nobody started in above xterm:

   lrwx-- 1 nobody nogroup 64 Dec  7 00:27 0 - /dev/pts/9
   lrwx-- 1 nobody nogroup 64 Dec  7 00:27 1 - /dev/pts/9
   lr-x-- 1 nobody nogroup 64 Dec  7 00:27 10 - /localvol/root/.XCompose
   lrwx-- 1 nobody nogroup 64 Dec  7 00:27 2 - /dev/pts/9
   lr-x-- 1 nobody nogroup 64 Dec  7 00:27 3 - /proc/6012/fd
   lr-x-- 1 nobody nogroup 64 Dec  7 00:27 5 - /localvol/root/.XCompose

It is very likely that many programs that change the uid will not care for
the extra fd, as it should not be there in the first place.

The file is fortunately only opened read-only, and the contents of
.XCompose files are usually not very private.

The actual contents of the .XCompose file do not matter, as long as it
exists, libx11 (likely the code in modules/im/ximcp/imLcIm.c) leaks the
fd.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.6
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libx11-6 depends on:
hi  libc62.3.6.ds1-8 GNU C Library: Shared libraries
ii  libx11-data  2:1.0.3-2   X11 client-side library
ii  libxau6  1:1.0.1-2   X11 authorisation library
ii  libxdmcp61:1.0.1-2   X11 Display Manager Control Protoc
ii  x11-common   1:7.1.0-6   X Window System (X.Org) infrastruc

libx11-6 recommends no packages.

-- debconf information:
  libx11-6/migrate_xkb_dir: true


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]