Bug 499234 (CVE-2009-1573)

Summary: CVE-2009-1573 xvfb-run insecurely displays mcookie value
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ajax, kreilly, mcepl, xgl-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 17:56:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 544036, 549895, 632879    
Bug Blocks:    

Description Vincent Danen 2009-05-05 17:40:09 UTC 
A Debian bug report [1] indicates that the mcookie value is passed to xauth as a command-line argument in the xvfb-run script, which makes it possible to see through process listing.  This is due to:

157 # Start Xvfb.
158 MCOOKIE=$(mcookie)
159 XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
160   >"$ERRORFILE" 2>&1

The reporter suggests using the "xauth source -" command instead, and writing the commands to a file for xauth to read.  The xvfb-run script was first introduced in Fedora 10, so only Fedora 10 and Fedora 11 are affected.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678
Comment 1 Vincent Danen 2009-05-06 22:00:29 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1573 to
the following vulnerability:

Name: CVE-2009-1573
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1573
Assigned: 20090506
Reference: MLIST:[oss-security] 20090505 CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/2
Reference: MLIST:[oss-security] 20090505 Re: CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/4
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678

xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly
other operating systems place the magic cookie (MCOOKIE) on the
command line, which allows local users to gain privileges by listing
the process and its arguments.
Comment 3 Vincent Danen 2009-12-03 18:53:28 UTC 
This is still an issue in Fedora 12, so this still affects 10, 11, and 12.
Comment 5 Vincent Danen 2013-05-08 17:56:46 UTC 
This was corrected in xorg-x11-server-1.9.0-9.fc14.