[Secure-testing-team] Bug#526678: Passes magic cookie insecurity
Loïc Minier
lool at dooz.org
Sat May 2 15:57:24 UTC 2009
Package: xvfb
Version: 2:1.6.1-1
Severity: normal
File: /usr/bin/xvfb-run
Tags: security
Hi
xvfb-run does:
# Start Xvfb.
MCOOKIE=$(mcookie)
XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
>"$ERRORFILE" 2>&1
which is insecure as the MCOOKIE value can be seen for a split second
in the list of processes.
I think "xauth source -" or a similar construct should be used.
Bye
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xvfb depends on:
ii libaudit0 1.7.13-1 Dynamic library for security audit
ii libc6 2.9-9 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libfontenc1 1:1.0.4-3 X11 font encoding library
ii libgcrypt11 1.4.4-2 LGPL Crypto library - runtime libr
ii libhal1 0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii libpixman-1- 0.14.0-1 pixel-manipulation library for X a
ii libselinux1 2.0.71-1 SELinux shared libraries
ii libxau6 1:1.0.4-2 X11 authorisation library
ii libxdmcp6 1:1.0.2-3 X11 Display Manager Control Protoc
ii libxfont1 1:1.4.0-1 X11 font rasterisation library
ii xserver-comm 2:1.6.1-1 common files used by various X ser
Versions of packages xvfb recommends:
ii xauth 1:1.0.3-2 X authentication utility
ii xfonts-base 1:1.0.0-6 standard fonts for X
xvfb suggests no packages.
-- no debconf information
--
Loïc Minier
More information about the Secure-testing-team
mailing list