Bug 212167 - CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-xinit (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Søren Sandmann Pedersen
David Lawrence
reported=20061010,source=cve,impact=l...
: Reopened, Security
Depends On:
Blocks: CVE-2006-5214
  Show dependency treegraph
 
Reported: 2006-10-25 10:09 EDT by Mark J. Cox (Product Security)
Modified: 2014-06-18 05:08 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.0.2-21.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-02 13:37:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2006-10-25 10:09:57 EDT
+++ This bug was initially created as a clone of Bug #212166 +++

Two issues in XFree86/xorg Xsession were reported and fixed upstream.  Both
relate to the handling of the xsession file.  

CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.

CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim.  However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over).  The upstream Xsession code was different (and worse) than
our xinitrc code, but we should use mkstemp.

We've rated these issues as low severity and they can be deferred until a future
update for some other reason.

This affects Xsession as shipped in xorg-x11-xinit in FC6 and FC5
and xorg-x11-xdm in FC5 only (FC6 contains a fixed upstream version)

Affects: FC6, FC5
Note also affects xinitrc (bz#210311)
Comment 1 Mark J. Cox (Product Security) 2006-11-20 05:49:59 EST
fix:
        http://webcvs.freedesktop.org/xorg/app/xdm/config/Xsession.cpp
Comment 2 Lubomir Kundrak 2007-08-02 06:12:01 EDT
Sandmann: Could you please fix this for FC6 and push updated?
Comment 3 Fedora Update System 2007-08-02 22:43:30 EDT
xorg-x11-xinit-1.0.2-21.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Lubomir Kundrak 2007-08-03 03:06:46 EDT
Reopening this for FC6.
Comment 5 David Anderson 2007-08-09 16:53:43 EDT
After my latest "yum update", X refused to start, either for rhgb or for 
normal usage if "rhgb" was removed from the boot line.

I booted into single user mode, reverted the xorg-x11-xinit update (i.e. did 
rpm -Uvh --oldpackage to get the old package back), and then the problem was 
gone.
Comment 6 David Anderson 2007-08-09 16:55:13 EDT
Forgot to mention that this was on a fully updated F7 system.
Comment 7 Søren Sandmann Pedersen 2007-08-09 19:06:57 EDT
Do you remember which package exactly caused the problem?

Was it 1.0.2-22 or 1.0.2-21?

What exactly happened. Ie,. what does 'refused to start' mean?

Note You need to log in before you can comment on or make changes to this bug.