Bug#661627: marked as done (init script x11-common creates directories in insecure manners)

To: Julien Cristau <jcristau@debian.org>
Subject: Bug#661627: marked as done (init script x11-common creates directories in insecure manners)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 03 Mar 2012 18:21:09 +0000
Message-id: <[🔎] handler.661627.D661627.133079876213838.ackdone@bugs.debian.org>
References: <E1S3tY9-0001YQ-PF@franck.debian.org> <20120228173102.GA14254@devzero.fr>

Your message dated Sat, 03 Mar 2012 18:19:21 +0000
with message-id <E1S3tY9-0001YQ-PF@franck.debian.org>
and subject line Bug#661627: fixed in xorg 1:7.6+12
has caused the Debian Bug report #661627,
regarding init script x11-common creates directories in insecure manners
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
661627: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661627
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: init script x11-common creates directories in insecure manners
From: vladz <vladz@devzero.fr>
Date: Tue, 28 Feb 2012 18:31:02 +0100
Message-id: <20120228173102.GA14254@devzero.fr>

Package: x11-common
Version: 1:7.5+8
Tags: security


The init script "x11-common" creates directories "/tmp/.X11-unix" and
"/tmp/.ICE-unix" in insecure manners.

  $ cat -n /etc/init.d/x11-common
    [...]
    33    if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then
    34      mv $SOCKET_DIR $SOCKET_DIR.$$
    35    fi
    36    mkdir -p $SOCKET_DIR
    37    chown root:root $SOCKET_DIR
    38    chmod 1777 $SOCKET_DIR
    [...]
    47    if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then
    48      mv $ICE_DIR $ICE_DIR.$$
    49    fi
    50    mkdir -p $ICE_DIR
    51    chown root:root $ICE_DIR
    52    chmod 1777 $ICE_DIR

If a local user is able to place a symlink before the service starts
(for example before the package installation process), he could gain
root privileges.

For example, the symlink would point to an arbitrary directory (/etc),
so it won't match the conditions (lines 33 and 47) and the arbitrary
directory will get its permissions changed (lines 38 and 52).

As a solution, I would suggest to take care of the "mkdir" return codes 
(line 36 and 50).  To do not change permissions on failures.         

Thanks.
--
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

--- End Message ---

--- Begin Message ---

To: 661627-close@bugs.debian.org
Subject: Bug#661627: fixed in xorg 1:7.6+12
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 03 Mar 2012 18:19:21 +0000
Message-id: <E1S3tY9-0001YQ-PF@franck.debian.org>

Source: xorg
Source-Version: 1:7.6+12

We believe that the bug you reported is fixed in the latest version of
xorg, which is due to be installed in the Debian FTP archive:

x11-common_7.6+12_all.deb
  to main/x/xorg/x11-common_7.6+12_all.deb
xbase-clients_7.6+12_all.deb
  to main/x/xorg/xbase-clients_7.6+12_all.deb
xorg-dev_7.6+12_all.deb
  to main/x/xorg/xorg-dev_7.6+12_all.deb
xorg_7.6+12.dsc
  to main/x/xorg/xorg_7.6+12.dsc
xorg_7.6+12.tar.gz
  to main/x/xorg/xorg_7.6+12.tar.gz
xorg_7.6+12_amd64.deb
  to main/x/xorg/xorg_7.6+12_amd64.deb
xserver-xorg-input-all_7.6+12_amd64.deb
  to main/x/xorg/xserver-xorg-input-all_7.6+12_amd64.deb
xserver-xorg-video-all_7.6+12_amd64.deb
  to main/x/xorg/xserver-xorg-video-all_7.6+12_amd64.deb
xserver-xorg_7.6+12_amd64.deb
  to main/x/xorg/xserver-xorg_7.6+12_amd64.deb
xutils_7.6+12_all.deb
  to main/x/xorg/xutils_7.6+12_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661627@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Mar 2012 18:54:30 +0100
Source: xorg
Binary: x11-common xserver-xorg xserver-xorg-video-all xserver-xorg-input-all xorg xorg-dev xbase-clients xutils
Architecture: source all amd64
Version: 1:7.6+12
Distribution: unstable
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 x11-common - X Window System (X.Org) infrastructure
 xbase-clients - miscellaneous X clients - metapackage
 xorg       - X.Org X Window System
 xorg-dev   - X.Org X Window System development libraries
 xserver-xorg - X.Org X server
 xserver-xorg-input-all - X.Org X server -- input driver metapackage
 xserver-xorg-video-all - X.Org X server -- output driver metapackage
 xutils     - X Window System utility programs metapackage
Closes: 661627
Changes: 
 xorg (1:7.6+12) unstable; urgency=high
 .
   * Fix unsafe manipulation of /tmp/.X11-unix and /tmp/.ICE-unix in the
     x11-common init script.  A malicious user could trick us into changing
     ownership/permissions of an arbitrary directory, and elevate their
     privileges (closes: #661627).  Reference: CVE-2012-1093.  Thanks to
     "vladz", Tim Morgan and Bernhard R. Link for their help getting this right
     (any remaining bugs are my own).
Checksums-Sha1: 
 c16d4bbe3abfa9eda5c9ebdc5d6920c785e0d323 1957 xorg_7.6+12.dsc
 50d7a6e2bc7026d876de63cec2ba10f0659eb587 922670 xorg_7.6+12.tar.gz
 d5296c059e6d101b063e6923226538e6ecbd30d5 282590 x11-common_7.6+12_all.deb
 cc0e742b5dc5ae1e0670b1b87928e74f22f9bab8 35180 xorg-dev_7.6+12_all.deb
 112ca719b6f1342bbbb19e6a0dd136b86005a3f8 35046 xbase-clients_7.6+12_all.deb
 c564b64d12b585936dd31db85fe5cb8d803d7fc5 34938 xutils_7.6+12_all.deb
 66323afa68848ffde1ad905a078ae9bd7a6602d1 111758 xserver-xorg_7.6+12_amd64.deb
 f94a3700317be4dd6a5c2d6995eb7885568bc421 35014 xserver-xorg-video-all_7.6+12_amd64.deb
 146bf564a8c1f31e7cae0c07e307ed9ee4f098aa 34886 xserver-xorg-input-all_7.6+12_amd64.deb
 2c8a3b15b9db3d8d0646dd3f64104d098f078bdd 35544 xorg_7.6+12_amd64.deb
Checksums-Sha256: 
 5a1a7f6f6f6dccb568f2d70034969fe0ed10ce1724bbee4f587ffa1ab58899a7 1957 xorg_7.6+12.dsc
 759fc337e04e054fbfd19e83b103814a2b8f17cf23b9f45b2143cc82349d3fcb 922670 xorg_7.6+12.tar.gz
 c43c595f43cdd364adfba155dd6b11069a8bfddd17b336dd75107125b2d49faa 282590 x11-common_7.6+12_all.deb
 87e5eb60ef591702e449f02ca442a7c12884ef0aa81ecd49ac9fbcc0e02c9ac5 35180 xorg-dev_7.6+12_all.deb
 e21b4fc5507e0f77baeb6faaad1cb060bfd363594bcfa6fe6f3200bfe708abe7 35046 xbase-clients_7.6+12_all.deb
 176c80426f547750293af1ddc79d062431608c0b07eb5e46b8acb6fda5569d91 34938 xutils_7.6+12_all.deb
 b9d0f15c1e430aa4da8967cc6b382e907364173ade0c4c42b79bf49de8a35fd1 111758 xserver-xorg_7.6+12_amd64.deb
 a08af50ee714fdc05888d213a069a502fbef1001eeb5f9ce52805413160c936c 35014 xserver-xorg-video-all_7.6+12_amd64.deb
 f8b3035213f7cbb4e59f122e29230dda526364804a3694001a17fc3e8e45f393 34886 xserver-xorg-input-all_7.6+12_amd64.deb
 f1cffd91c2b06f41142604309ac4ff0654d076486753197ff930d726c986e5e2 35544 xorg_7.6+12_amd64.deb
Files: 
 9c4a71c8e9a02f99a539b19847c99eab 1957 x11 optional xorg_7.6+12.dsc
 c34c36415287321393cee372de0b7ad4 922670 x11 optional xorg_7.6+12.tar.gz
 9108e934995a8903988c296d891e8d0c 282590 x11 optional x11-common_7.6+12_all.deb
 7c077c84369fe6128278b78d59bbde15 35180 x11 optional xorg-dev_7.6+12_all.deb
 a91712a123a38f985692dc9783c45d19 35046 x11 optional xbase-clients_7.6+12_all.deb
 8eb01663ea708e1c8a2722bcff523373 34938 x11 optional xutils_7.6+12_all.deb
 cad407b409bf329c85558c7689f5fb79 111758 x11 optional xserver-xorg_7.6+12_amd64.deb
 adb4ce79569ed9bbe403daff5ae4ca60 35014 x11 optional xserver-xorg-video-all_7.6+12_amd64.deb
 1372596f7c4c242518e78d967973327c 34886 x11 optional xserver-xorg-input-all_7.6+12_amd64.deb
 c149bbccf4f6b223c286d88222a35ec8 35544 x11 optional xorg_7.6+12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPUlvCAAoJEDEBgAUJBeQMQtAP/2pHCd3BoAwM+mJhK+rgrb69
gCpY93L80sUCodTw1Q3GfkWleuz/UEL5HcrOabz64AmK3ICiXzq7gJ5gsfZDLPXe
NcYOs5DKKQZUNZDVS353OU6Fd441YiSxeC3SfSXItDrgp42YgY/f+4VvOZ10q9jw
iodf5/7/wmATgKv/i+VNI3SiynUGPOKCtFkxRp7In6ae8mtNSHdbybQyep//RKUH
G/Zw2BwzaBC0ElxVCAh82wd32PzsDyrRyKtcU7V6A67DSo6VwkbvXtxV8a1t3dRu
Y7A0C2l+KDAWl2qKfLYFxGUYGV0gTzkn3c4E9T02Zn6UJzl2WyRtRHF+5Teiox/R
CSqzwVGnZ3lfPGTB851VHsCHovAi08ewhWUH8pws/qPxTQ1CgN7E5vCj3g6O5Ngv
r9mIt1gJnMi2/a7k9FN+lWJJs7XszgFprvNxmhMEHu3Yjk/klwGhkhp6ZmIv35di
BNbsFoumB9ccJhzI/DHkBa5Y2+bsQ6JghpHSarNe3xodH/3vR9cZ1yJEvwFA/nRK
uNFZP72VthwvsE1FwSWq+li4i3LJtH2TPMzv7sEGxjQW1iDaWVgSvFKIceyQa5bQ
Z6FYorMC2+K3z5LA229s9zwQBxFkQOCNksomrBZ2j2wPta4khCu0W7X40qThDkqI
d+7tHFHQuBBpAlyrAPYy
=gIuL
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of xorg_7.6+12_amd64.changes
Next by Date: xorg: Changes to 'debian-unstable'
Previous by thread: Processing of xorg_7.6+12_amd64.changes
Next by thread: xorg_7.6+12_amd64.changes ACCEPTED into unstable
Index(es):
- Date
- Thread