Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#22134 - [xorg-xinit] Vulnerability in xorg-xinit
Attached to Project:
Arch Linux
Opened by A Web (aweb) - Saturday, 18 December 2010, 08:02 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 19 December 2010, 11:03 GMT
Opened by A Web (aweb) - Saturday, 18 December 2010, 08:02 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 19 December 2010, 11:03 GMT
|
DetailsDescription:
The script /etc/X11/xinit/xserverrc ignores its arguments, which in particular means the -auth argument to X gets dropped. The /tmp/serverauth.XXX... file is then completely ignored, and without any MIT-MAGIC-COOKIE, the X server silently allows connections from any user on the local machine. This affects any X user who gives someone else ssh access to his or her workstation. A one-line patch is attached. Additional info: * package version(s) extra/xorg-xinit 1.3.0-1 * config and/or log files etc. Steps to reproduce: - Log into console. - Run startx. - ssh into machine using different account. - In ssh window, run xlsclients -display :0. You will see that the different uid is able to connect to the X server. (Of course xlsclients is relatively harmless, but this works equally well with keyloggers.) 
xorg-xinit.diff
(0.2 KiB)
|
This task depends upon
======================================
userserverrc=$HOME/.xserverrc
sysserverrc=/etc/X11/xinit/xserverrc
defaultserver=/usr/bin/X
defaultserverargs=""
defaultdisplay=":0"
...
if [ x"$server" = x ]; then
server=$defaultserver
# if no server arguments or display either, use defaults
if [ x"$serverargs" = x -a x"$display" = x ]; then
# For compatibility reasons, only use xserverrc if there were no servercommand line arguments
if [ -f "$userserverrc" ]; then
server=$userserverrc
elif [ -f "$sysserverrc" ]; then
server=$sysserverrc
fi
serverargs=$defaultserverargs
display=$defaultdisplay
fi
fi
...
xinit "$client" $clientargs -- "$server" $display $serverargs
========================================
So, if you call startx (no args) and there is no ~/.xserverrc, then xinit executes /etc/X11/xinit/xserverrc without any arguments...
Even if /etc/X11/xinit/xserverrc gets fixed per your proposal, it still will be called with no arguments, i.e. ${@}="". Or, you'll have to use xinit explicitly...
if [ x"$enable_xauth" = x1 ] ; then
...
serverargs=${serverargs}" -auth "${xserverauthfile}
Also at the top of the file is
enable_xauth=1
If you do not see this, you must have customized your /usr/bin/startx. I am looking at this on several machines with very fresh from-scratch arch installs. You can also confirm this for yourself by executing the following commands:
$ bsdtar xf /var/cache/pacman/pkg/xorg-xinit-1.3.0-1-x86_64.pkg.tar.xz usr/bin/startx
$ fgrep -e -auth usr/bin/startx
serverargs=${serverargs}" -auth "${xserverauthfile}
$