Bug#324768: xserver-xorg: Add an XKBPATH environment variable to specify alternate XKB data location
On Thu, Oct 06, 2005 at 03:15:52AM +1000, Daniel Stone wrote:
> On Wed, Aug 24, 2005 at 12:13:19AM +0200, Denis Barbier wrote:
> > In order to ease migration from xlibs to xkeyboard-config, an option
> > is to install xkeyboard-config files under another directory, so
> > that xlibs and xkeyboard-config can be installed simultaneously.
> > The selection between xlibs and xkeyboard-config data files could
> > be made when X starts by adding a new XKBPATH environment variable.
> >
> > Here is a patch implementing this feature; I am unable for now to
> > test it due to lack of CPU and disk resources, and will be grateful
> > if someone could test it.
> >
> > If you XSF guys decide eventually to replace xlibs by xkeyboard-config,
> > this hack can be removed, but until then it would really help to
> > install xkeyboard-config on Debian systems.
>
> To be honest, I'm somewhat concerned about this patch: the XKB code is,
> ah, how to put it -- not incredibly robust or auditable. Combined with
> XKBPATH, allowing anyone to use their own arbitrary files, and the X
> server being suid root, this is effectively a local root exploit if
> someone can manage to exploit the gaping holes all through the XKB code
> (if you don't believe me, ask me in private, and I can point you to the
> most horrific examples).
>
> Already I can think of one possible shell injection attack, as well as
> a couple of buffer overflows, that this might enable.
One can already write any arbitrary evil.map file and run
$ xkbcomp evil.map :0
to have it parsed by the X server, or run
$ setxkbmap -I/path/to/evil/files
so does this XKBPATH stuff really add new vulnerabilities?
Denis
Reply to: