Bug 230008 (CVE-2006-5215)
Summary: | CVE-2006-5215 xdm symlink attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-22 18:34:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 210312 | ||
Bug Blocks: |
Description
Josh Bressers
2007-02-25 19:50:17 UTC
In xinitrc's Xsession (RHEL4) this doesn't seem to be a problem as we use mktemp. and this is only if ~/.xsession-errors cannot be written for some reason: 11 # redirect errors to a file in user's home directory if we can 12 if [ -z "$GDMSESSION" ]; then 13 # GDM redirect output itself in a smarter fashion 14 errfile="$HOME/.xsession-errors" 15 if cp /dev/null "$errfile" 2> /dev/null ; then 16 chmod 600 "$errfile" 17 exec > "$errfile" 2>&1 18 else 19 errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX) 20 if [ $? -eq 0 ]; then 21 exec > "$errfile" 2>&1 22 fi 23 fi 24 fi Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided Xsession script. While the copy of /dev/null to ~/.xsession-errors does use the user's umask (upstream changes the umask to 077 before the copy), this is only a problem if the user's home directory is using non-default permissions (0700 is the default). Using mktemp makes the file 600 regardless of umask: % mktemp -q /tmp/xses-$USER.XXXXXX /tmp/xses-vdanen.pe8701 % ls -al /tmp/xses-vdanen.pe8701 -rw------- 1 vdanen vdanen 0 Dec 22 11:30 /tmp/xses-vdanen.pe8701 % umask 022 % umask 077 % mktemp -q /tmp/xses-$USER.XXXXXX /tmp/xses-vdanen.iv8733 % ls -al /tmp/xses-vdanen.iv8733 -rw------- 1 vdanen vdanen 0 Dec 22 11:31 /tmp/xses-vdanen.iv8733 So provided the user hasn't changed their home directory permissions to something insecure (which allows for exposure to potentially more damning things than ~/.xsession-errors), I would not consider this a flaw on RHEL4 or later. |