Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#22134 - [xorg-xinit] Vulnerability in xorg-xinit

Attached to Project: Arch Linux
Opened by A Web (aweb) - Saturday, 18 December 2010, 08:02 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 19 December 2010, 11:03 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The script /etc/X11/xinit/xserverrc ignores its arguments, which in particular means the -auth argument to X gets dropped. The /tmp/serverauth.XXX... file is then completely ignored, and without any MIT-MAGIC-COOKIE, the X server silently allows connections from any user on the local machine.

This affects any X user who gives someone else ssh access to his or her workstation. A one-line patch is attached.

Additional info:
* package version(s)

extra/xorg-xinit 1.3.0-1

* config and/or log files etc.

Steps to reproduce:

- Log into console.
- Run startx.
- ssh into machine using different account.
- In ssh window, run xlsclients -display :0.

You will see that the different uid is able to connect to the X server. (Of course xlsclients is relatively harmless, but this works equally well with keyloggers.)
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Sunday, 19 December 2010, 11:03 GMT
Reason for closing:  Fixed
Comment by Leonid Isaev (lisaev) - Saturday, 18 December 2010, 21:27 GMT
From /usr/bin/startx:
======================================
userserverrc=$HOME/.xserverrc
sysserverrc=/etc/X11/xinit/xserverrc
defaultserver=/usr/bin/X
defaultserverargs=""
defaultdisplay=":0"
...
if [ x"$server" = x ]; then
server=$defaultserver
# if no server arguments or display either, use defaults
if [ x"$serverargs" = x -a x"$display" = x ]; then
# For compatibility reasons, only use xserverrc if there were no servercommand line arguments
if [ -f "$userserverrc" ]; then
server=$userserverrc
elif [ -f "$sysserverrc" ]; then
server=$sysserverrc
fi
serverargs=$defaultserverargs
display=$defaultdisplay
fi
fi
...
xinit "$client" $clientargs -- "$server" $display $serverargs
========================================
So, if you call startx (no args) and there is no ~/.xserverrc, then xinit executes /etc/X11/xinit/xserverrc without any arguments...

Even if /etc/X11/xinit/xserverrc gets fixed per your proposal, it still will be called with no arguments, i.e. ${@}="". Or, you'll have to use xinit explicitly...

Comment by A Web (aweb) - Saturday, 18 December 2010, 23:59 GMT
I have tested my patch and it definitely works. I have no ~/.xserverrc. I am running xorg-xinit 1.3.0-1 on x86_64. Below the code you quote, my (stock) startx script contains

if [ x"$enable_xauth" = x1 ] ; then
...
serverargs=${serverargs}" -auth "${xserverauthfile}

Also at the top of the file is

enable_xauth=1

If you do not see this, you must have customized your /usr/bin/startx. I am looking at this on several machines with very fresh from-scratch arch installs. You can also confirm this for yourself by executing the following commands:

$ bsdtar xf /var/cache/pacman/pkg/xorg-xinit-1.3.0-1-x86_64.pkg.tar.xz usr/bin/startx
$ fgrep -e -auth usr/bin/startx
serverargs=${serverargs}" -auth "${xserverauthfile}
$

Comment by Andreas Radke (AndyRTR) - Sunday, 19 December 2010, 11:03 GMT
patch applied in 1.3.0-2. Debian also solved it that way in an old bug, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549377

Loading...