GDM file permissions race condition
Marcus Meissner discovered a race condition issue in gdm which affects
the way it modifies the permissions on the .ICEauthority file.
The problem is that there is a race condition between the time stat()
is run on the file and the time chown() and chmod() are run.
The patch that caused this error is here:
We don't have a fix yet.
Created attachment 127492 [details]
Proposed upstream patch
So there has been a bit of discussion about how exploitable this problem really is.
One thing Marcus didn't originally notice is that a bug in the problem code
prevents it from easily being exploited.
Namely, the code only runs if
stat (".ICEauthority", &s) && S_ISREG (s.st_mode)
evaluates to true. The first clause was probably supposed to read
stat (".ICEauthority", &s) == 0
but the "== 0" part was forgotton. This means those two clauses can only
evaluate to true if the stat() call fails AND the S_ISREG() macro succeeds when
fed the uninitialized s.st_mode value.
This means the exploitable code will only run if the stack happens to have the
right bytes in it. I don't believe there is currently a known method of
manipulating the stack such that the exploitable code can be run.
Also, the upstream maintainer has already fixed this code in public CVS and done
a release, with the messages:
2006-04-07 Brian Cameron <firstname.lastname@example.org>
* daemon/slave.c: Now logic unlinks .ICEauthority file if it
looks fishy rather than trying to chown/chmod it. This
is to resolve CVE-2006-1057.
2006-04-10 Brian Cameron <email@example.com>
* daemon/slave.c: Better fix for resolving CVE-2006-1057
provided by Hans Petter Jansson <firstname.lastname@example.org>
so I don't know how relevant the embargo is.
Created attachment 127619 [details]
latest upstream patch
This is the second patch that got committed upstream.
A flaw was found with this patch. This upstream bug cotains a followup patch
that properly sets the GID.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.