Debian Bug report logs - #526678
Passes magic cookie insecurity

version graph

Package: xvfb; Maintainer for xvfb is Debian X Strike Force <debian-x@lists.debian.org>; Source for xvfb is src:xorg-server.

Reported by: Loïc Minier <lool@dooz.org>

Date: Sat, 2 May 2009 16:21:01 UTC

Severity: normal

Tags: security

Found in version xorg-server/2:1.6.1-1

Fixed in version xorg-server/2:1.6.1.901-3

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#526678; Package xvfb. (Sat, 02 May 2009 16:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>. (Sat, 02 May 2009 16:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Loïc Minier <lool@dooz.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Passes magic cookie insecurity
Date: Sat, 2 May 2009 17:57:24 +0200
Package: xvfb
Version: 2:1.6.1-1
Severity: normal
File: /usr/bin/xvfb-run
Tags: security

        Hi

 xvfb-run does:

# Start Xvfb.
MCOOKIE=$(mcookie)
XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
  >"$ERRORFILE" 2>&1

 which is insecure as the MCOOKIE value can be seen for a split second
 in the list of processes.

 I think "xauth source -" or a similar construct should be used.

   Bye

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xvfb depends on:
ii  libaudit0    1.7.13-1                    Dynamic library for security audit
ii  libc6        2.9-9                       GNU C Library: Shared libraries
ii  libdbus-1-3  1.2.12-1                    simple interprocess messaging syst
ii  libfontenc1  1:1.0.4-3                   X11 font encoding library
ii  libgcrypt11  1.4.4-2                     LGPL Crypto library - runtime libr
ii  libhal1      0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii  libpixman-1- 0.14.0-1                    pixel-manipulation library for X a
ii  libselinux1  2.0.71-1                    SELinux shared libraries
ii  libxau6      1:1.0.4-2                   X11 authorisation library
ii  libxdmcp6    1:1.0.2-3                   X11 Display Manager Control Protoc
ii  libxfont1    1:1.4.0-1                   X11 font rasterisation library
ii  xserver-comm 2:1.6.1-1                   common files used by various X ser

Versions of packages xvfb recommends:
ii  xauth                         1:1.0.3-2  X authentication utility
ii  xfonts-base                   1:1.0.0-6  standard fonts for X

xvfb suggests no packages.

-- no debconf information

-- 
Loïc Minier




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#526678; Package xvfb. (Thu, 14 May 2009 19:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Thu, 14 May 2009 19:06:05 GMT) Full text and rfc822 format available.

Message #10 received at 526678@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Loïc Minier <lool@dooz.org>, 526678@bugs.debian.org
Subject: Re: Bug#526678: Passes magic cookie insecurity
Date: Thu, 14 May 2009 21:04:33 +0200
On Sat, May  2, 2009 at 17:57:24 +0200, Loïc Minier wrote:

> # Start Xvfb.
> MCOOKIE=$(mcookie)
> XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
>   >"$ERRORFILE" 2>&1
> 
>  which is insecure as the MCOOKIE value can be seen for a split second
>  in the list of processes.
> 
>  I think "xauth source -" or a similar construct should be used.
> 
Can I get another pair of eyes before I commit this?

Also I don't quite like the fact that we use /tmp/xvfb-run.$$ as a temp
dir instead of using something like 'mktemp -t -d xvfb-run.XXXXXX'.

diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
 
 # Start Xvfb.
 MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
-  >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
 XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
   2>&1 &
 XVFBPID=$!

Cheers,
Julien




Tags added: pending Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Thu, 14 May 2009 22:00:02 GMT) Full text and rfc822 format available.

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Tue, 23 Jun 2009 18:30:05 GMT) Full text and rfc822 format available.

Notification sent to Loïc Minier <lool@dooz.org>:
Bug acknowledged by developer. (Tue, 23 Jun 2009 18:30:06 GMT) Full text and rfc822 format available.

Message #17 received at 526678-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 526678-close@bugs.debian.org
Subject: Bug#526678: fixed in xorg-server 2:1.6.1.901-3
Date: Tue, 23 Jun 2009 18:18:13 +0000
Source: xorg-server
Source-Version: 2:1.6.1.901-3

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:

xdmx-tools_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xdmx-tools_1.6.1.901-3_i386.deb
xdmx_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xdmx_1.6.1.901-3_i386.deb
xnest_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xnest_1.6.1.901-3_i386.deb
xorg-server_1.6.1.901-3.diff.gz
  to pool/main/x/xorg-server/xorg-server_1.6.1.901-3.diff.gz
xorg-server_1.6.1.901-3.dsc
  to pool/main/x/xorg-server/xorg-server_1.6.1.901-3.dsc
xserver-common_1.6.1.901-3_all.deb
  to pool/main/x/xorg-server/xserver-common_1.6.1.901-3_all.deb
xserver-xephyr_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xserver-xephyr_1.6.1.901-3_i386.deb
xserver-xfbdev_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xserver-xfbdev_1.6.1.901-3_i386.deb
xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
xserver-xorg-core_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-core_1.6.1.901-3_i386.deb
xserver-xorg-dev_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-dev_1.6.1.901-3_i386.deb
xvfb_1.6.1.901-3_i386.deb
  to pool/main/x/xorg-server/xvfb_1.6.1.901-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Jun 2009 19:52:10 +0200
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-xfbdev xserver-xorg-core-dbg xserver-common
Architecture: source all i386
Version: 2:1.6.1.901-3
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 xdmx       - distributed multihead X server
 xdmx-tools - Distributed Multihead X tools
 xnest      - Nested X server
 xserver-common - common files used by various X servers
 xserver-xephyr - nested X server
 xserver-xfbdev - Linux framebuffer device tiny X server
 xserver-xorg-core - Xorg X server - core server
 xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
 xserver-xorg-dev - Xorg X server - development files
 xvfb       - Virtual Framebuffer 'fake' X server
Closes: 508476 526678
Changes: 
 xorg-server (2:1.6.1.901-3) unstable; urgency=low
 .
   [ Julien Cristau ]
   * xvfb-run: don't pass the magic cookie to xauth on the command line
     (CVE-2009-1573; closes: #526678).  Thanks, Loïc Minier!
   * xvfb-run: use mktemp to create the temporary directory.
   * Change default for ExaOptimizeMigration to false.  This option still
     causes visual corruption in some cases.  Thanks, Michel Dänzer!
   * Only include hal info for keyboards, mice, touchpads and tablets in the
     bug script.
   * In the bug script, grep dmesg for agp in addition to drm.
   * Add patch stolen from Fedora to disable the fbdev driver when it's loaded
     together with a PCI or SBUS driver, instead of calling FatalError (closes:
     #508476).
   * Add patch stolen from Fedora to try and detect the primary PCI device by
     mapping the legacy VGA bios and comparing the vendor and device ids.
     Previously if there was more than one VGA device and the config didn't
     specify BusIDs, the server would just fail to start, so this hack should
     improve things.
   * Update configure options:
     + use --enable-xvfb instead of --enable-vfb
     + drop --disable-builtin-fonts, --enable-xtrap, --disable-kdrive-vesa,
       --disable-lbx, --disable-xprint, --disable-xorgconfig, --disable-xorgcfg
       which don't exist anymore
     + use --disable-config-hal and --disable-dri on hurd-i386
     + reorder options to match configure.ac, and use explicit
       --enable/--disable instead of using the defaults / autodetection
   * Don't recommend xfonts-base.  libXfont provides builtin versions of the
     fixed and cursor fonts, which are the only required ones.  Keep xfonts-*
     packages in Suggests for xserver-xorg-core.
   * Bump Standards-Version to 3.8.2 now that we have README.source.
   * Drop Build-Conflicts on xlibs-static-dev; it's only in oldstable at this
     point.
   * Pull from upstream server-1.6-branch as of June 23rd (commit dbac41b).
   * Bump build-dep on dri2proto to 2.1 for new protocol.
   * Bump build-dep on libselinux1-dev to 2.0.80 for avc_netlink_acquire_fd.
 .
   [ David Nusinow ]
   * Add README.source
Checksums-Sha1: 
 259115805767312e0f1d6005723bfca10f7ddc99 3204 xorg-server_1.6.1.901-3.dsc
 7c5e6da1988058b1c910f7faa03efa1cfe771fc3 97042 xorg-server_1.6.1.901-3.diff.gz
 544f1da97d8c1b8e8fee7dc7cc7b690cf146c372 50778 xserver-common_1.6.1.901-3_all.deb
 aa6145172ca2d81a92498a3ce748a4304da78a56 2166936 xserver-xorg-core_1.6.1.901-3_i386.deb
 7a4aa5cbeabc73781fd160f1621db8ebb2bdeaa3 980812 xserver-xorg-dev_1.6.1.901-3_i386.deb
 16c4711be1deb0f87a6c2abe1db134fe4527e265 1479550 xdmx_1.6.1.901-3_i386.deb
 644d3642409e285baea3c3a6525daf9583bb1c79 798950 xdmx-tools_1.6.1.901-3_i386.deb
 b01cf1a6330629076707a3dc1befdb1fbcfc7b8b 1387350 xnest_1.6.1.901-3_i386.deb
 c9afd9f1f3cad142cc61e22994702ee476bf7479 1496816 xvfb_1.6.1.901-3_i386.deb
 f754c3bb301252d037d8d79ac6a26d6d475cc1e8 1569520 xserver-xephyr_1.6.1.901-3_i386.deb
 67bf96562b8ee21a2ef65ba5c5204b4b5937d318 1521140 xserver-xfbdev_1.6.1.901-3_i386.deb
 bc9857851e49138ceec1496834b75031e8a029fd 6122726 xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
Checksums-Sha256: 
 157f674679e92145a7d5b19859111ffa309f18ef76c48d377057bcac7d9e19d1 3204 xorg-server_1.6.1.901-3.dsc
 4f6fc25ab2c318d98c5e68bb7652f1fc28032987e6025e4737329f2b2da2acc2 97042 xorg-server_1.6.1.901-3.diff.gz
 cfe75e625ac04816849b2210327c32cc56b374d93280346006747fa2d560bd88 50778 xserver-common_1.6.1.901-3_all.deb
 2e5260a3cd9d88d4c65ca002f044470fac5780dcd9e0a1e0e9a5069245c88ff1 2166936 xserver-xorg-core_1.6.1.901-3_i386.deb
 6609b2cf6a8eedbc1f4f63aafce453a80ef1a9790fa0c6e2dd9aa401e4b58449 980812 xserver-xorg-dev_1.6.1.901-3_i386.deb
 0bdc6500de6343baea445acfc620baa109e146fe441b3dfa3e2293f19ec40b37 1479550 xdmx_1.6.1.901-3_i386.deb
 b08696601bb7b3b46f4a8fbe82003fe5d4e9553efff7ca5ac9922d8c08bc0c9c 798950 xdmx-tools_1.6.1.901-3_i386.deb
 fd1a5229109985d6e1bf714ea99528076f1e979740ce2b1f67eba8706410d2f6 1387350 xnest_1.6.1.901-3_i386.deb
 2f324ff3cb29ad535d6cc955b4b82059c6a6649dc9f0a4f09c8ac71bf83a018d 1496816 xvfb_1.6.1.901-3_i386.deb
 2af1812c255deb49010d3ad187b4dad24c742ebe3b7b34cae60a700ae8a40cb9 1569520 xserver-xephyr_1.6.1.901-3_i386.deb
 7208db871d9ef90df71bd50df318d2a60d1f043fdaae9604fde6ace19237c36d 1521140 xserver-xfbdev_1.6.1.901-3_i386.deb
 4fd691c550a72291937ce34d4943e9fa10b072736f6e72839196d6c888be14f7 6122726 xserver-xorg-core-dbg_1.6.1.901-3_i386.deb
Files: 
 32db857aba7a30bb5962c506a5d1e413 3204 x11 optional xorg-server_1.6.1.901-3.dsc
 d3e8ea9086b72ed899469511555837be 97042 x11 optional xorg-server_1.6.1.901-3.diff.gz
 cf77d53ad16398d1e1bdbfc456b232f6 50778 x11 optional xserver-common_1.6.1.901-3_all.deb
 078080f218d96994bb4facc4a31bf0fe 2166936 x11 optional xserver-xorg-core_1.6.1.901-3_i386.deb
 de758b8eda9f131b692b7533c72b7d28 980812 x11 optional xserver-xorg-dev_1.6.1.901-3_i386.deb
 74fa94aa4eb5be1d7b941c9437e04c37 1479550 x11 optional xdmx_1.6.1.901-3_i386.deb
 2659971fd14095f16b0e092f748d163f 798950 x11 optional xdmx-tools_1.6.1.901-3_i386.deb
 96ebd29110f1c5af33f061a2c669b879 1387350 x11 optional xnest_1.6.1.901-3_i386.deb
 ea2ee66487325922b269a61d4edad82b 1496816 x11 optional xvfb_1.6.1.901-3_i386.deb
 fbb5766b0f18b596c11e3cdf97d73509 1569520 x11 optional xserver-xephyr_1.6.1.901-3_i386.deb
 5d824e782968a87a2c1f3e24edf34869 1521140 x11 optional xserver-xfbdev_1.6.1.901-3_i386.deb
 291747ba266d28a5878e94979b09fb60 6122726 debug extra xserver-xorg-core-dbg_1.6.1.901-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpBGOIACgkQmEvTgKxfcAyJegCgkLDKb0ZNXvHAc1lusJLRxhYv
81gAoMkQz9IzagPkKgKsC6E8xagYVy0K
=IQrI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 25 Jul 2009 07:36:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:23:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.