[go: up one dir, main page]

oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: X.Org security advisory: xserver locking code issues

From: Matthieu Herrb <matthieu.herrb () laas fr>
Date: Tue, 18 Oct 2011 19:53:57 +0200
----- Forwarded message from Matthieu Herrb <matthieu.herrb () laas fr> -----

Date: Tue, 18 Oct 2011 16:50:21 +0200
From: Matthieu Herrb <matthieu.herrb () laas fr>
To: xorg-announce () lists freedesktop org
Cc: xorg () lists freedesktop org
Subject: X.Org security advisory: xserver locking code issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, October 18, 2011
xserver locking vulnerabilities
CVE IDs: CVE-2011-4028 CVE-2011-4029

Description
- -----------

Two vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
simultaneously.

o CVE-2011-4028 : File disclosure vulnerability:
  It is possible to deduce if a file exists or not by exploiting the
  way that Xorg creates its lock files.

  This is caused by the fact that the X server is behaving differently
  if the lock file already exists as a symbolic link pointing to an
  existing or non-existing file.

o CVE-2011-4029 : File permission change vulnerability:
  It is possible for a non-root user to set the permissions for
  all users on any file or directory to 444, giving unwanted read
  access or causing denies of service (by removing execute permission).
  This is caused by a race between creating the lock file and setting
  its access modes.

Affected Versions
- -----------------

All X.Org Xserver versions are vulnerable to CVE-2011-4028 when
running with root privileges.

X.Org Xserver version 1.4 and later are vulnerable to CVE-2011-4029
when running with root privileges.

Workaround
- ----------

Removing the setuid bit on the Xorg binary (and using a display
manager to start it with controlled parameters) makes the issues
harder to exploit, but not impossible.

Fix
- ---

Those issues have been fixed by the following two git commits:

CVE-2011-4028: 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34

CVE-2011-4029: b67581cf825940fdf52bf2e0af4330e695d724a4
http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4

A fix of this vulnerability will be included in xserver 1.11.2 and
xserver 1.12.

The X.Org Foundation thanks vladz (http://vladz.devzero.fr) for
bringing this issue to our attention and helping testing the fixes.

- -- 
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBTp2SLPee5zRnIoYlAQJRvQf8D1GyyOVHR1KBUUP7L2PiobbLRp1JXPar
iOm24Uk+4vH6arnx1zdmsdCkLVmtJxi3Y6KYgv07NOQUstd1s5rifPiFxCek8T2b
5TNFo1EIxbESh6d29VNi6rkRigK6WVFQiqJj3MbYA4XBqoibi48FG5JQYrjVG6ki
lPmX4pT2pOCYsSQGJPbRNr7Ra4GWj0lYX1ZC72aD1/kFn1I9t04QoPdW7YpG90eI
s1VI8JpqdsRdyQ88AQTytLSKYAveEY5RuouOOe8KfIljtLW+elw5LzBZoE60WVB4
ltZElUNI8neEgeawHm5TnWhvq3ieU7LS5mMZqfDQaZfvc95dS4YdLA==
=LvrS
-----END PGP SIGNATURE-----
_______________________________________________
xorg-announce mailing list
xorg-announce () lists freedesktop org
http://lists.freedesktop.org/mailman/listinfo/xorg-announce

----- End forwarded message -----

-- 
Matthieu Herrb
Previous By Date Next
Previous By Thread Next

Current thread: