Bug 1149610 (CVE-2014-7272) - CVE-2014-7272 sddm: several local privileges escalation issues
Summary: CVE-2014-7272 sddm: several local privileges escalation issues
Alias: CVE-2014-7272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1149629
Blocks: F21BetaFreezeException
TreeView+ depends on / blocked
Reported: 2014-10-06 08:27 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:22 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-11-03 23:47:42 UTC

Attachments (Terms of Use)
Patch for spin-kickstarts (728 bytes, patch)
2014-10-23 10:30 UTC, Martin Bříza
no flags Details | Diff

Description Vasyl Kaigorodov 2014-10-06 08:27:28 UTC
It was reported that sddm has several issues leading to local privilege escalation:


The xauth cookie handling code calls xauth binary via
popen() as root, which in turn dumps and creates files as root
in users ~.


After xauth has done its job, sddm chowns() the ~/.Xauthority
file to user. This is a race and a local root exploit.


The .xsession-errors file is created in ~ but as root.
This allows to destroy arbitrary system files.

Upstream patch is at [4].

[1] https://bugzilla.suse.com/show_bug.cgi?id=897788#c7
[2] https://bugzilla.suse.com/show_bug.cgi?id=897788#c8
[3] https://bugzilla.suse.com/show_bug.cgi?id=897788#c9
[4] https://github.com/sddm/sddm/pull/280

Comment 1 Vasyl Kaigorodov 2014-10-06 09:44:06 UTC
Created sddm tracking bugs for this issue:

Affects: fedora-all [bug 1149629]

Comment 2 Fedora Blocker Bugs Application 2014-10-22 02:26:19 UTC
Proposed as a Freeze Exception for 21-beta by Fedora user rdieter using the blocker tracking app because:

 local privilege escalation security issue, associated bodhi update has requisite karma.

Comment 3 Adam Williamson 2014-10-22 18:16:00 UTC
Discussed at 2014-10-22 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a freeze exception issue - obviously, privescs in a release-blocking desktop's login manager are V. Bad. It'd be good to have a fix for this ASAP.

Comment 4 Kevin Kofler 2014-10-22 21:28:24 UTC
The fix is already queued for stable as FEDORA-2014-12442, it just wants to be pulled in.

Comment 5 Kevin Kofler 2014-10-23 00:43:59 UTC
There's a caveat however: fedora-livecd-kde-base.ks does this:
# set up autologin for user liveuser
sed -i 's/^AutoUser=.*/AutoUser=liveuser/' /etc/sddm.conf

This needs updating when/if FEDORA-2014-12242 hits, for 2 reasons:
1. AutoUser= is not the syntax for the latest sddm, it now uses User= in an [Autologin] group.
2. There is no default /etc/sddm.conf shipped anymore on which one could run sed. IMHO, this is very user-unfriendly. The package should ship a default config file that users can edit. But the kickstart could probably just use cat instead of sed for now.

Martin Bříza, can you please update the master branch of spin-kickstarts with the new logic ASAP, or tell me what to put in there, so we have something to cherry-pick? Rawhide already has the new SDDM, so this should have already happened! (There's no way autologin is working on Rawhide KDE live images right now.)

Is this enough?
cat >/etc/sddm.conf <<EOF
Or do we have to generate a complete config file?

Comment 6 Martin Bříza 2014-10-23 10:30:31 UTC
Created attachment 949792 [details]
Patch for spin-kickstarts

Seems I can't push to spin-kickstarts - here is a patch that should fix the problem

Comment 7 Adam Williamson 2014-10-23 18:03:37 UTC
applied to master.

Comment 8 Adam Williamson 2014-10-23 18:44:19 UTC
now fixed on master - mbriza, you can't use EOF there, because you're nested within the "cat >> /etc/rc.d/init.d/livesys << EOF" . You have to use something else - see how the other blocks use MENU_EOF, AKONADI_EOF, etc etc. I changed it to use SDDM_EOF.

Comment 9 Adam Williamson 2014-10-23 19:14:39 UTC
I built alive image with the new sddm and mbriza's patch to spin-kickstarts. It black screens on boot. /var/log/sddm.log has:

(EE) DAEMON: Failed to find command for session: "plasma.desktop"

Comment 10 Fedora Update System 2014-10-28 06:46:57 UTC
sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Adam Williamson 2014-10-28 06:49:34 UTC
Whoops, forgot to note that I fixed c#9.

Comment 12 Adam Williamson 2014-10-30 19:18:21 UTC
Setting ON_QA for F21, we pulled the updated sddm into Beta.

Comment 13 Adam Williamson 2014-10-30 19:26:40 UTC
VERIFIED at least that the updated version is in Beta RC4 and works correctly.

Comment 14 Adam Williamson 2014-11-03 23:47:42 UTC
The updated sddm was pushed stable. Closing.

Note You need to log in before you can comment on or make changes to this bug.