Bug#635109: xauth: needs cookie handling warnings in man page
package: xauth
severity: normal
version: 1:1.0.6-1
tags: security,patch
Insecure xauth usage has lead to a few security bugs (#526678,
#529306, #625868, and probably others instances that haven't been
discovered yet). Man page warnings may guide maintainers toward
more secure usages. See attached patch for a possible solution.
Best wishes,
Mike
diff -u xauth-1.0.6/debian/changelog xauth-1.0.6/debian/changelog
--- xauth-1.0.6/debian/changelog
+++ xauth-1.0.6/debian/changelog
@@ -1,3 +1,9 @@
+xauth (1:1.0.6-1.1) unstable; urgency=low
+
+ * Add insecure cookie handling warnings to xauth man page.
+
+ -- Michael Gilbert <michael.s.gilbert@gmail.com> Fri, 22 Jul 2011 14:48:17 -0400
+
xauth (1:1.0.6-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- xauth-1.0.6.orig/man/xauth.man
+++ xauth-1.0.6/man/xauth.man
@@ -90,6 +90,10 @@
A protocol name consisting of just a
single period is treated as an abbreviation for \fIMIT-MAGIC-COOKIE-1\fP.
+WARNING: This usage is considered insecure since the secret magic cookie
+will be displayed in command histories and for example the output of ps.
+One should use the "merge" command (as described below) instead. Pay
+attention to it's warning as well.
.TP 8
.B "generate \fIdisplayname protocolname\fP \fR[\fPtrusted|untrusted\fR]\fP"
.B \fR[\fPtimeout \fIseconds\fP\fR]\fP \fR[\fPgroup \fIgroup-id\fP\fR]\fP \fR[\fBdata \fIhexdata\fR]
@@ -155,6 +159,11 @@
the \fInmerge\fP command is used, the numeric format given in the description
of the \fIextract\fP command is used. If a filename consists of just a single
dash, the standard input will be read if it hasn't been read before.
+
+WARNING: Be careful with the single dash version as depending on the
+command chain (for example a combination using sudo), the secret key
+could be exposed to prying eyes in command histories and for example
+in the output of ps.
.TP 8
.B "remove \fIdisplayname\fR..."
Authorization entries matching the specified displays are removed from the
Reply to: