Bug 212168 - CVE-2006-5214 Xsession problems (CVE-2006-5215)
CVE-2006-5214 Xsession problems (CVE-2006-5215)
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-10-25 10:11 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-25 10:31:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2006-10-25 10:11:37 EDT
+++ This bug was initially created as a clone of Bug #212167 +++

Two issues in XFree86/xorg Xsession were reported and fixed upstream.  Both
relate to the handling of the xsession file.  

CVE-2006-5214: A local attacker could open for reading a users
~/.xsession-errors file if they are able to win a race during it's creation and
have sufficient privileges (+x) to the victims home directory already.

CVE-2006-5215: A local attacker could perform a temporary file attack on the
xsession error file created in /tmp and cause it to overwrite particular files
of the victim.  However this file is only created if the ability to create
~/.xsession-errors in the victims home directory fails, (something the attacker
has no control over).  The upstream Xsession code was different (and worse) than
our xinitrc code, but we should use mkstemp.

We've rated these issues as low severity and they can be deferred until a future
update for some other reason.

This affects Xsession as shipped in gdm package in FC5
Comment 1 Ray Strode [halfline] 2006-10-25 10:31:29 EDT
So we don't ship a separate Xsession file for GDM, we just use the system one in

From the fc5 gdm spec file:

# remove the gdm Xsession as we're using the xdm one
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/gdm/Xsession
(cd $RPM_BUILD_ROOT%{_sysconfdir}/gdm; ln -sf ../X11/xinit/Xsession .)

Also, the xinit Xsession file has this guard around the icky code:

if [ -z "$GDMSESSION" ]; then
  ... icky xsession-errors code here ...

because gdm creates the xsession-errors file itself, so i'm going to close this

Note You need to log in before you can comment on or make changes to this bug.