Bug#635109: xauth: needs cookie handling warnings in man page

To: submit@bugs.debian.org
Subject: Bug#635109: xauth: needs cookie handling warnings in man page
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 22 Jul 2011 14:57:37 -0400
Message-id: <[🔎] 20110722145737.946362ee97b86d7dc279aef1@gmail.com>
Reply-to: Michael Gilbert <michael.s.gilbert@gmail.com>, 635109@bugs.debian.org

package: xauth
severity: normal
version: 1:1.0.6-1
tags: security,patch

Insecure xauth usage has lead to a few security bugs (#526678,
#529306, #625868, and probably others instances that haven't been
discovered yet). Man page warnings may guide maintainers toward
more secure usages.  See attached patch for a possible solution.

Best wishes,
Mike

diff -u xauth-1.0.6/debian/changelog xauth-1.0.6/debian/changelog
--- xauth-1.0.6/debian/changelog
+++ xauth-1.0.6/debian/changelog
@@ -1,3 +1,9 @@
+xauth (1:1.0.6-1.1) unstable; urgency=low
+
+  * Add insecure cookie handling warnings to xauth man page.
+
+ -- Michael Gilbert <michael.s.gilbert@gmail.com>  Fri, 22 Jul 2011 14:48:17 -0400
+
 xauth (1:1.0.6-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- xauth-1.0.6.orig/man/xauth.man
+++ xauth-1.0.6/man/xauth.man
@@ -90,6 +90,10 @@
 A protocol name consisting of just a
 single period is treated as an abbreviation for \fIMIT-MAGIC-COOKIE-1\fP.
 
+WARNING: This usage is considered insecure since the secret magic cookie
+will be displayed in command histories and for example the output of ps.
+One should use the "merge" command (as described below) instead.  Pay
+attention to it's warning as well.
 .TP 8
 .B "generate \fIdisplayname protocolname\fP \fR[\fPtrusted|untrusted\fR]\fP"
 .B \fR[\fPtimeout \fIseconds\fP\fR]\fP  \fR[\fPgroup \fIgroup-id\fP\fR]\fP \fR[\fBdata \fIhexdata\fR]
@@ -155,6 +159,11 @@
 the \fInmerge\fP command is used, the numeric format given in the description
 of the \fIextract\fP command is used.  If a filename consists of just a single
 dash, the standard input will be read if it hasn't been read before.
+
+WARNING: Be careful with the single dash version as depending on the
+command chain (for example a combination using sudo), the secret key
+could be exposed to prying eyes in command histories and for example
+in the output of ps.
 .TP 8
 .B "remove \fIdisplayname\fR..."
 Authorization entries matching the specified displays are removed from the

Reply to:

Prev by Date: Re: [RFC] proposal for reorganizing the MESA libraries to simplify replacing them with vendor implementations
Next by Date: Re: [RFC] proposal for reorganizing the MESA libraries to simplify replacing them with vendor implementations
Previous by thread: Bug#79381: x11-xserver-utils: bug almost clsoed, just need a little more doc
Next by thread: Bug#635137: Sometimes hangs after suspend & resume
Index(es):
- Date
- Thread