Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)
Package: libx11-6
Version: 2:1.0.3-4
Severity: critical
Tags: security
Justification: root security hole
First of all, I tagged this bug as critical because the description in
reportbug fit, but as the issue is relatively harmless and not directly
caused by libx11, feel free to reprioritise, I will know in the future. I
hope I did the right thing. Thanks - and possibly sorry!
Anyways, libx11 leaks the contents of .XCompose to subprocess, because it
does not close the file descriptor nor does it set the cloexec flag on the
filehandle. Such leaks are usually very pervasive as few programs care for
fds they did not open.
For example, under a urxvtd terminal window running bash:
cerebro ~# ls -l /proc/self/fd
total 5
lrwx------ 1 root root 64 Dec 7 00:26 0 -> /dev/pts/6
lrwx------ 1 root root 64 Dec 7 00:26 1 -> /dev/pts/6
lrwx------ 1 root root 64 Dec 7 00:26 2 -> /dev/pts/6
lr-x------ 1 root root 64 Dec 7 00:26 3 -> /proc/5984/fd
lr-x------ 1 root root 64 Dec 7 00:26 10 -> /localvol/root/.XCompose
from an xterm started from the above window, using bash:
lr-x------ 1 root root 64 Dec 7 00:11 5 -> /localvol/root/.XCompose
lr-x------ 1 root root 64 Dec 7 00:11 10 -> /localvol/root/.XCompose
and so on, I get one .XCompose fd per nesting level.
from "su nobody" started in above xterm:
lrwx------ 1 nobody nogroup 64 Dec 7 00:27 0 -> /dev/pts/9
lrwx------ 1 nobody nogroup 64 Dec 7 00:27 1 -> /dev/pts/9
lr-x------ 1 nobody nogroup 64 Dec 7 00:27 10 -> /localvol/root/.XCompose
lrwx------ 1 nobody nogroup 64 Dec 7 00:27 2 -> /dev/pts/9
lr-x------ 1 nobody nogroup 64 Dec 7 00:27 3 -> /proc/6012/fd
lr-x------ 1 nobody nogroup 64 Dec 7 00:27 5 -> /localvol/root/.XCompose
It is very likely that many programs that change the uid will not care for
the extra fd, as it should not be there in the first place.
The file is fortunately only opened read-only, and the contents of
.XCompose files are usually not very private.
The actual contents of the .XCompose file do not matter, as long as it
exists, libx11 (likely the code in modules/im/ximcp/imLcIm.c) leaks the
fd.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.6
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages libx11-6 depends on:
hi libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libx11-data 2:1.0.3-2 X11 client-side library
ii libxau6 1:1.0.1-2 X11 authorisation library
ii libxdmcp6 1:1.0.1-2 X11 Display Manager Control Protoc
ii x11-common 1:7.1.0-6 X Window System (X.Org) infrastruc
libx11-6 recommends no packages.
-- debconf information:
libx11-6/migrate_xkb_dir: true
Reply to: