[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#401956: libx11-6: contents of .XCompose file are leaked to subprocesses (possibly unprivileged)



Package: libx11-6
Version: 2:1.0.3-4
Severity: critical
Tags: security
Justification: root security hole


First of all, I tagged this bug as critical because the description in
reportbug fit, but as the issue is relatively harmless and not directly
caused by libx11, feel free to reprioritise, I will know in the future. I
hope I did the right thing. Thanks - and possibly sorry!

Anyways, libx11 leaks the contents of .XCompose to subprocess, because it
does not close the file descriptor nor does it set the cloexec flag on the
filehandle. Such leaks are usually very pervasive as few programs care for
fds they did not open.

For example, under a urxvtd terminal window running bash:

   cerebro ~# ls -l /proc/self/fd
   total 5
   lrwx------ 1 root root 64 Dec  7 00:26 0 -> /dev/pts/6
   lrwx------ 1 root root 64 Dec  7 00:26 1 -> /dev/pts/6
   lrwx------ 1 root root 64 Dec  7 00:26 2 -> /dev/pts/6
   lr-x------ 1 root root 64 Dec  7 00:26 3 -> /proc/5984/fd
   lr-x------ 1 root root 64 Dec  7 00:26 10 -> /localvol/root/.XCompose

from an xterm started from the above window, using bash:

   lr-x------ 1 root root 64 Dec  7 00:11 5 -> /localvol/root/.XCompose
   lr-x------ 1 root root 64 Dec  7 00:11 10 -> /localvol/root/.XCompose

and so on, I get one .XCompose fd per nesting level.

from "su nobody" started in above xterm:

   lrwx------ 1 nobody nogroup 64 Dec  7 00:27 0 -> /dev/pts/9
   lrwx------ 1 nobody nogroup 64 Dec  7 00:27 1 -> /dev/pts/9
   lr-x------ 1 nobody nogroup 64 Dec  7 00:27 10 -> /localvol/root/.XCompose
   lrwx------ 1 nobody nogroup 64 Dec  7 00:27 2 -> /dev/pts/9
   lr-x------ 1 nobody nogroup 64 Dec  7 00:27 3 -> /proc/6012/fd
   lr-x------ 1 nobody nogroup 64 Dec  7 00:27 5 -> /localvol/root/.XCompose

It is very likely that many programs that change the uid will not care for
the extra fd, as it should not be there in the first place.

The file is fortunately only opened read-only, and the contents of
.XCompose files are usually not very private.

The actual contents of the .XCompose file do not matter, as long as it
exists, libx11 (likely the code in modules/im/ximcp/imLcIm.c) leaks the
fd.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.6
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libx11-6 depends on:
hi  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libx11-data                  2:1.0.3-2   X11 client-side library
ii  libxau6                      1:1.0.1-2   X11 authorisation library
ii  libxdmcp6                    1:1.0.1-2   X11 Display Manager Control Protoc
ii  x11-common                   1:7.1.0-6   X Window System (X.Org) infrastruc

libx11-6 recommends no packages.

-- debconf information:
  libx11-6/migrate_xkb_dir: true



Reply to: