[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#652249: marked as done (bypass default security level of the X wrapper)

Your message dated Mon, 19 Dec 2011 20:04:55 +0000
with message-id <E1RcjSB-0003PT-Na@franck.debian.org>
and subject line Bug#652249: fixed in xorg 1:7.5+8+squeeze1
has caused the Debian Bug report #652249,
regarding bypass default security level of the X wrapper
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
652249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652249
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: xserver-xorg
Version: 1:7.5+8
Severity: important
Tags: security


By default, the wrapper's configuration file only allows any user whose
controlling TTY (console) to start the X server with root privileges: 

  # cat /etc/X11/Xwrapper.config
  [...]
  allowed_users=console

To determine if a user is controlling a TTY, the code checks the
properties of the file connected to its standard input:

  $ cat -n debian/local/xserver-wrapper.c
  [...]
  152 static int
  153 onConsole()
  154 {
  155 #if defined(__linux__)
  156   struct stat s;
  157
  158   /* see if stdin is a virtual console device */
  159   if (fstat(0, &s) != 0) {
  160     (void) fprintf(stderr, "X: cannot stat stdin\n");
  161     return FALSE;
  162   }
  163   if (S_ISCHR(s.st_mode) &&
  164         ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
  165           (s.st_rdev & 0xff) < 64) ||
  166         (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
  167           (s.st_rdev & 0xff) < 64)
  168         )) {
  169     return TRUE;
  170   }

As seen, this is done by checking if this file:

  - is a character device [line 163]
  - has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
    respectively 4 or 5) [lines 164, 166]
  - has a minor number lower than 64 [lines 165, 167]

Unfortunately, by connecting a file with similar properties to its
stdin, a user can mislead the X wrapper and launch the X server.  This
file also needs to be readable by the user.

For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:

  $ ls -l /dev/tty /dev/ptmx
  crw-rw-rw- 1 root root 5, 2 14 déc.  18:43 /dev/ptmx
  crw-rw-rw- 1 root root 5, 0 12 déc.  23:03 /dev/tty

Here is a quick PoC by using "/dev/tty":

  $ ssh remote_host
  $ id
  uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
  $ tty
  /dev/pts/4   // not a TTY, won't have sufficient permissions to start X
  $ X :1
  X: user not authorized to run the X server, aborting.

  // This was the expected result, now lets connect "/dev/tty" to stdin and
  // retry...

  $ exec 0</dev/tty; X :1; exec 0</dev/pts/4
  [... Xorg starts ...]    // start succeed!

This being said, this is a minor issue, but the attack against
CVE-2011-4029[1] which allows to set the read permission on any arbitrary
file, can now be launched from remote sessions and not even from a TTY.  It
become urgent to fix it.

  [1] http://security-tracker.debian.org/tracker/CVE-2011-4029

Thanks,
vladz. 

-- 
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

--- End Message ---
--- Begin Message --- 
Source: xorg
Source-Version: 1:7.5+8+squeeze1

We believe that the bug you reported is fixed in the latest version of
xorg, which is due to be installed in the Debian FTP archive:

libglu1-xorg-dev_7.5+8+squeeze1_all.deb
  to main/x/xorg/libglu1-xorg-dev_7.5+8+squeeze1_all.deb
libglu1-xorg_7.5+8+squeeze1_all.deb
  to main/x/xorg/libglu1-xorg_7.5+8+squeeze1_all.deb
x11-common_7.5+8+squeeze1_all.deb
  to main/x/xorg/x11-common_7.5+8+squeeze1_all.deb
xbase-clients_7.5+8+squeeze1_all.deb
  to main/x/xorg/xbase-clients_7.5+8+squeeze1_all.deb
xlibmesa-gl-dev_7.5+8+squeeze1_all.deb
  to main/x/xorg/xlibmesa-gl-dev_7.5+8+squeeze1_all.deb
xlibmesa-gl_7.5+8+squeeze1_all.deb
  to main/x/xorg/xlibmesa-gl_7.5+8+squeeze1_all.deb
xlibmesa-glu_7.5+8+squeeze1_all.deb
  to main/x/xorg/xlibmesa-glu_7.5+8+squeeze1_all.deb
xorg-dev_7.5+8+squeeze1_all.deb
  to main/x/xorg/xorg-dev_7.5+8+squeeze1_all.deb
xorg_7.5+8+squeeze1.dsc
  to main/x/xorg/xorg_7.5+8+squeeze1.dsc
xorg_7.5+8+squeeze1.tar.gz
  to main/x/xorg/xorg_7.5+8+squeeze1.tar.gz
xorg_7.5+8+squeeze1_amd64.deb
  to main/x/xorg/xorg_7.5+8+squeeze1_amd64.deb
xserver-xorg-input-all_7.5+8+squeeze1_amd64.deb
  to main/x/xorg/xserver-xorg-input-all_7.5+8+squeeze1_amd64.deb
xserver-xorg-video-all_7.5+8+squeeze1_amd64.deb
  to main/x/xorg/xserver-xorg-video-all_7.5+8+squeeze1_amd64.deb
xserver-xorg_7.5+8+squeeze1_amd64.deb
  to main/x/xorg/xserver-xorg_7.5+8+squeeze1_amd64.deb
xutils_7.5+8+squeeze1_all.deb
  to main/x/xorg/xutils_7.5+8+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652249@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 16 Dec 2011 19:54:40 +0100
Source: xorg
Binary: x11-common xserver-xorg xserver-xorg-video-all xserver-xorg-input-all xorg xorg-dev xlibmesa-gl xlibmesa-gl-dev xlibmesa-glu libglu1-xorg libglu1-xorg-dev xbase-clients xutils
Architecture: source all amd64
Version: 1:7.5+8+squeeze1
Distribution: squeeze-security
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 libglu1-xorg - transitional package for Debian etch
 libglu1-xorg-dev - transitional package for Debian etch
 x11-common - X Window System (X.Org) infrastructure
 xbase-clients - miscellaneous X clients - metapackage
 xlibmesa-gl - transitional package for Debian etch
 xlibmesa-gl-dev - transitional package for Debian etch
 xlibmesa-glu - transitional package for Debian etch
 xorg       - X.Org X Window System
 xorg-dev   - the X.Org X Window System development libraries
 xserver-xorg - the X.Org X server
 xserver-xorg-input-all - the X.Org X server -- input driver metapackage
 xserver-xorg-video-all - the X.Org X server -- output driver metapackage
 xutils     - X Window System utility programs metapackage
Closes: 652249
Changes: 
 xorg (1:7.5+8+squeeze1) squeeze-security; urgency=low
 .
   * xserver-wrapper: when we drop privileges, don't forget to also reset
     effective group id, since we're installed setgid root.
   * xserver-wrapper: revert change to allow devices with major 5 as consoles.
     This includes things like /dev/tty and /dev/ptmx, which are
     world-readable (closes: #652249).  Thanks to vladz for the report.
     Reference: CVE-2011-4613.
Checksums-Sha1: 
 bc3a37ba340e33838de526532de596f2ebc8be09 1723 xorg_7.5+8+squeeze1.dsc
 45f77ccadf67b5f0916a728c249ca35ba2b2cb7c 904376 xorg_7.5+8+squeeze1.tar.gz
 03038cf51249488bb57578e1a8e06501b4ee909a 279090 x11-common_7.5+8+squeeze1_all.deb
 4aa7668799797da4769486d2eca857334d32a9c7 32156 xorg-dev_7.5+8+squeeze1_all.deb
 c92aa9119f41a62e2e8f84f248820527fbb286d5 31782 xlibmesa-gl_7.5+8+squeeze1_all.deb
 39dc858407db6f42db407c239173c883cfe08d15 31790 xlibmesa-gl-dev_7.5+8+squeeze1_all.deb
 4fa6dd6c9398dcef6ee7b17eef78a25ed496bf13 31784 xlibmesa-glu_7.5+8+squeeze1_all.deb
 9e70ecf6f59e4c0ce172b7d2734bc339c993745b 31776 libglu1-xorg_7.5+8+squeeze1_all.deb
 5b50a7965b2ca80a614478b5ac9000905b74cfb8 31786 libglu1-xorg-dev_7.5+8+squeeze1_all.deb
 399a20912be70af0a96af11a0fb8431f1ae619c4 38160 xbase-clients_7.5+8+squeeze1_all.deb
 0c20f2c7b271da994fe9b38109d1bd69f7ea36eb 38282 xutils_7.5+8+squeeze1_all.deb
 21f55c87b9f2c1360d965309aa8c2558977dcfd1 53346 xserver-xorg_7.5+8+squeeze1_amd64.deb
 de74121fc1b4605010900e9faf8f62b2b6f18f7d 31982 xserver-xorg-video-all_7.5+8+squeeze1_amd64.deb
 5dfa6c3a0252df8bcb33668cf571c85628446813 31842 xserver-xorg-input-all_7.5+8+squeeze1_amd64.deb
 26c9bb033de84e0993a9b2a6c591160465f69dd5 32472 xorg_7.5+8+squeeze1_amd64.deb
Checksums-Sha256: 
 d25ce5d7c2684b351498b7646fa877a46eb04329b2a4805f807238545b02ac96 1723 xorg_7.5+8+squeeze1.dsc
 e0be32e3167ad06cad4519c39c4f6ee3540530ff07b7d93975f5fe3d696bffb8 904376 xorg_7.5+8+squeeze1.tar.gz
 965449a985f6cfd8b8b854046b53047a7c3a62df3f2c867ca929f14eacca585e 279090 x11-common_7.5+8+squeeze1_all.deb
 ab8004a7ba7b56fcdf312d7992912bf58f7f4f5468391af6d524565cd32b437c 32156 xorg-dev_7.5+8+squeeze1_all.deb
 73a93438930a96d9bee84f19eda300d0760cd5b8208611fae44cca31b0a0731b 31782 xlibmesa-gl_7.5+8+squeeze1_all.deb
 36c4a7f71e02eba425e67840726147cabad63cd8e1506294536b28df99c5abbe 31790 xlibmesa-gl-dev_7.5+8+squeeze1_all.deb
 63bb7c2daa049f0f6e85ff5547fba11df7f95c048d6e0c43f3a0bf9827a00ab4 31784 xlibmesa-glu_7.5+8+squeeze1_all.deb
 b3649f36648bfc3826be26d1e169b1b73e57bdbfa40fddda1944e399e224382e 31776 libglu1-xorg_7.5+8+squeeze1_all.deb
 dc06e7321eba68a1353b4afd185e5fd9ab6c1c3bdfe7b1e90a580353fb70a2e2 31786 libglu1-xorg-dev_7.5+8+squeeze1_all.deb
 24bcdeb2f32d99bad416e2cc4df5a4ac7f343fa42dacd865fdb36854eb064c66 38160 xbase-clients_7.5+8+squeeze1_all.deb
 5d92fb6972889869bca9a7fa213e7975465f8a58cbd40433f98a91a8b84bf463 38282 xutils_7.5+8+squeeze1_all.deb
 40dcea675bfb0e8b774bc619489ff0a6bb6a4f6ecc907e8ac0df409874151f59 53346 xserver-xorg_7.5+8+squeeze1_amd64.deb
 2a9a5c0165aa8ff8f198d9799052d80928f7e53e548b83a720327fe350c86fcf 31982 xserver-xorg-video-all_7.5+8+squeeze1_amd64.deb
 ceb094261514e4a7f116c0cf19b5a7273c84d561888aad5552e226737ff58470 31842 xserver-xorg-input-all_7.5+8+squeeze1_amd64.deb
 9326fc8ac9412efff7282df84e8eb38b26257ca882bdc0e00ded3c7e7a2b51a7 32472 xorg_7.5+8+squeeze1_amd64.deb
Files: 
 3cd534237d55ad4f8c7062191e904594 1723 x11 optional xorg_7.5+8+squeeze1.dsc
 98b9112b39d912d8ad47dd8b1dd79196 904376 x11 optional xorg_7.5+8+squeeze1.tar.gz
 9216f776a019d5103a977a291e3de514 279090 x11 optional x11-common_7.5+8+squeeze1_all.deb
 d9deb044f125e25aabf373c5bf647f68 32156 x11 optional xorg-dev_7.5+8+squeeze1_all.deb
 0294b0af7c57926ec5f9012a31c757ad 31782 libs optional xlibmesa-gl_7.5+8+squeeze1_all.deb
 0f1953abe8cea198dc1d470aa87e87d5 31790 libdevel optional xlibmesa-gl-dev_7.5+8+squeeze1_all.deb
 10da38d17bf016882c434b61b3ad0777 31784 libdevel optional xlibmesa-glu_7.5+8+squeeze1_all.deb
 27f3bd0703ce6b6f761ea6ee88e61111 31776 libs optional libglu1-xorg_7.5+8+squeeze1_all.deb
 287484cc07759d54613991d7777b0020 31786 libdevel optional libglu1-xorg-dev_7.5+8+squeeze1_all.deb
 4468dd932eb869a5305012f2b63288cc 38160 x11 optional xbase-clients_7.5+8+squeeze1_all.deb
 e668ce5c7ac04f99a41e79f980ba0cde 38282 x11 optional xutils_7.5+8+squeeze1_all.deb
 06ed8bf8f1fa98045d7da9ddd8841f8c 53346 x11 optional xserver-xorg_7.5+8+squeeze1_amd64.deb
 0e7ebb1d0a9c6b84726ffd9ffb6201e2 31982 x11 optional xserver-xorg-video-all_7.5+8+squeeze1_amd64.deb
 57a5e745409702538307667b5e85de5c 31842 x11 optional xserver-xorg-input-all_7.5+8+squeeze1_amd64.deb
 262c750810336394ce0773385c3c852f 32472 x11 optional xorg_7.5+8+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO65ScAAoJEDEBgAUJBeQMdB0P/idw5Y/BLNYhxoAQxqAOYWvl
WpFzhbb33e6tHeOByCNFtiT6JeWT4ms3K4x71q7BQOBcmcjMP5ao3haNhv1KJ/9p
dATZ8L0vof0oiEqTiSQjZ9q3Q3jKtd2L101Sk0ZZHe9CZ/41PtqkzYnBv0dpQPOH
O6qNhhlXzeV0HLG5Cap4hmJ9NvmyH0uAg7fwKocOLyyRGWgPCDi2p4V59545ycEQ
9NqXfyr1IGaft7xmyvRJJ0YD/h2HZPmKksfnqHpD6IliSL1NNB/ayRKIdB0kFf3r
A+YreynPz+vWdvxsyDq2DFuynrpg5bSQQwja/3PI1vuVpgslGl4CB12Mh+KqxaD3
eZNNkhV7VcitrwCM9ua9Fe6BwTX9/tDhFOIGEFx4111SEMFDEVYtTgd965Mqjg6X
jwXgbaGJ6WMVLiO0iHZ8LOHZhZE7qxxiSYGxH19veMqa2IfBZVavAR5x7yQ2T9Qv
Wbm3OajGru4+vxc3GU5I+SLs5V2flqU6KYo+mNU3zvI/4xnIylz5akPx988amIsG
aciES+5rjvGlT/JPRG5FPEwqqOpm3VmzM7sDP/vPQUH1EPdTX6U+XW9eJZBYDCkr
4nBV2Mx4QLw1MiSzTKcwXG57un7d9lohAjCvjv/YJqqyduUXcQ+3ZqvddTy20Ijj
ATCh9CJimEfY/WWWS4y3
=Gayj
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: