Bug 230007 - (CVE-2006-5214) CVE-2006-5214 xdm race
CVE-2006-5214 xdm race
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 210312 212166 212167
  Show dependency treegraph
Reported: 2007-02-25 14:44 EST by Josh Bressers
Modified: 2010-12-22 13:39 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-22 13:39:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-02-25 14:44:08 EST
Race condition in the Xsession script, as used by X Display Manager (xdm) in
NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before
20061006, causes a user's Xsession errors file to have weak permissions before a
chmod is performed, which allows local users to read Xsession errors files of
other users.
Comment 1 Vincent Danen 2010-12-22 13:39:01 EST
In xinitrc's Xsession (RHEL4) this problem does exist:

11 # redirect errors to a file in user's home directory if we can
12 if [ -z "$GDMSESSION" ]; then
13     # GDM redirect output itself in a smarter fashion
14     errfile="$HOME/.xsession-errors"
15     if cp /dev/null "$errfile" 2> /dev/null ; then
16         chmod 600 "$errfile"
17         exec > "$errfile" 2>&1
18     else
19         errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX)                          
20         if [ $? -eq 0 ]; then
21             exec > "$errfile" 2>&1
22         fi
23     fi
24 fi

Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided
Xsession script.

While the copy of /dev/null to ~/.xsession-errors does use the user's umask
(upstream changes the umask to 077 before the copy), this is only a problem if
the user's home directory is using non-default permissions (0700 is the

So provided the user hasn't changed their home directory permissions to
something insecure (which allows for exposure to potentially more damning
things than ~/.xsession-errors), this shouldn't ever be exposed.  RHEL5 has the upstream umask change.

Note You need to log in before you can comment on or make changes to this bug.