Bug 230008 - (CVE-2006-5215) CVE-2006-5215 xdm symlink attack
CVE-2006-5215 xdm symlink attack
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20061010,source=cve,public=2...
: Security
Depends On: 210312
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-25 14:50 EST by Josh Bressers
Modified: 2010-12-22 13:34 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-22 13:34:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-02-25 14:50:17 EST
The Xsession script, as used by X Display Manager (xdm) in NetBSD before
20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006,
allows local users to overwrite arbitrary files, or read another user's Xsession
errors file, via a symlink attack on a /tmp/xses-$USER file.
Comment 1 Vincent Danen 2010-12-22 13:34:13 EST
In xinitrc's Xsession (RHEL4) this doesn't seem to be a problem as we use mktemp. and this is only if ~/.xsession-errors cannot be written for some reason:

11 # redirect errors to a file in user's home directory if we can
12 if [ -z "$GDMSESSION" ]; then
13     # GDM redirect output itself in a smarter fashion
14     errfile="$HOME/.xsession-errors"
15     if cp /dev/null "$errfile" 2> /dev/null ; then
16         chmod 600 "$errfile"
17         exec > "$errfile" 2>&1
18     else
19         errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX)                                                                                                                                                  
20         if [ $? -eq 0 ]; then
21             exec > "$errfile" 2>&1
22         fi
23     fi
24 fi

Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided Xsession script.

While the copy of /dev/null to ~/.xsession-errors does use the user's umask (upstream changes the umask to 077 before the copy), this is only a problem if the user's home directory is using non-default permissions (0700 is the default).

Using mktemp makes the file 600 regardless of umask:

% mktemp -q /tmp/xses-$USER.XXXXXX
/tmp/xses-vdanen.pe8701
% ls -al /tmp/xses-vdanen.pe8701
-rw-------  1 vdanen vdanen 0 Dec 22 11:30 /tmp/xses-vdanen.pe8701
% umask
022
% umask 077
% mktemp -q /tmp/xses-$USER.XXXXXX
/tmp/xses-vdanen.iv8733
% ls -al /tmp/xses-vdanen.iv8733
-rw-------  1 vdanen vdanen 0 Dec 22 11:31 /tmp/xses-vdanen.iv8733

So provided the user hasn't changed their home directory permissions to something insecure (which allows for exposure to potentially more damning things than ~/.xsession-errors), I would not consider this a flaw on RHEL4 or later.

Note You need to log in before you can comment on or make changes to this bug.