Bug 501562 (CVE-2009-1756)

Summary: CVE-2009-1756 SLiM: Potential X session hijacking (MITM)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: afb, lorenzo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306
Whiteboard: reported=20090518,public=20090518,source=debian,impact=moderate
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-20 07:14:09 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 544024    
Bug Blocks:    

Description Jan Lieskovsky 2009-05-19 14:34:05 EDT
Potential man-in-the-middle attack was found in SLiM (Simple Login Manager)
due to improper processing of authorization information used in connection
to the X server. A local attacker could use this flaw to hijack X session
of the victim by overhearing of certain information, needed for proper
extraction of authorization records.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306
http://bugs.gentoo.org/show_bug.cgi?id=270345
http://www.openwall.com/lists/oss-security/2009/05/18/2
Comment 1 Jan Lieskovsky 2009-05-22 06:53:07 EDT
CVE-2009-1756:

SLiM Simple Login Manager 1.3.0 includes places the X authority magic
cookie (mcookie) on the command line when invoking xauth from (1)
app.cpp and (2) switchuser.cpp, which allows local users to access the
X session by listing the process and its arguments. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1756
http://www.openwall.com/lists/oss-security/2009/05/18/2
http://www.securityfocus.com/bid/35015
http://osvdb.org/54583
http://secunia.com/advisories/35132
http://xforce.iss.net/xforce/xfdb/50611
Comment 2 Jan Lieskovsky 2009-08-20 06:37:20 EDT
This issue affects the versions of the slim package, as shipped with
Fedora releases of 10 and 11.

Please fix.
Comment 3 Anders F Björklund 2009-08-20 06:56:29 EDT
I'm not interested in maintaining slim for Fedora 10 and 11 (it's an orphan), but if the debian patch applies cleanly I can try to add that to a testing package ?

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306#25 {CVE-2009-1756}
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306#35 (rand -> random)
Comment 6 Fedora Update System 2009-12-21 19:18:45 EST
slim-1.3.1-9.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/slim-1.3.1-9.fc12
Comment 7 Fedora Update System 2009-12-21 19:18:49 EST
slim-1.3.1-9.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/slim-1.3.1-9.fc11
Comment 8 Fedora Update System 2010-01-01 22:27:13 EST
slim-1.3.1-9.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-01-01 22:28:36 EST
slim-1.3.1-9.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.