Bug 391841 (CVE-2007-5958) - CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability
Summary: CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5958
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 419451 419461 419481 419501 419521 419531 429125 429126 429127
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-20 10:17 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
5 users (show)

Fixed In Version: 1.3.0.0-39.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-22 15:31:45 UTC
Embargoed:

Attachments (Terms of Use)
cve-2007-5958.patch (1.30 KB, patch)
2007-12-13 21:16 UTC, Adam Jackson 		no flags Details | Diff
Alternate patch proposed by Matthieu Herrb (657 bytes, patch)
2008-01-02 15:46 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0029 0 normal SHIPPED_LIVE Important: XFree86 security update 2008-01-19 02:59:54 UTC
Red Hat Product Errata RHSA-2008:0030 0 normal SHIPPED_LIVE Important: xorg-x11 security update 2008-01-19 02:20:50 UTC
Red Hat Product Errata RHSA-2008:0031 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2008-01-19 01:28:40 UTC

Comment 2 Tomas Hoger 2007-11-20 14:59:13 UTC 
Following vulnerability in Xorg / XFree86 X servers has been reported to us:

I have found a small vulnerability on Xorg (tested on xorg-x11-server-Xorg
version 1.1.1-48.13.el5) that can be exploited by a malicious user to disclose
the existence of files in directories not accessible by the user.

By looking at the error messages returned when supplying an arbitrary file or
directory in the "X :1 -sp <file>" command, a malicious user can identify the
existence of files and directories in access restricted directories.
If the user receives a "error opening security policy file <file>" the
file/directory is not present on the system.
However, if a "<file>: invalid security policy file version, ignoring file"
error message is returned, the file/directory is present on the system.
Comment 4 Adam Jackson 2007-12-13 21:16:46 UTC 
Created attachment 288001 [details]
cve-2007-5958.patch

Simple fix, just issue the same error message no matter what the failure mode
is.

No upstream bug yet.  Should I file one?
Comment 5 Tomas Hoger 2007-12-14 08:57:33 UTC 
(In reply to comment #4)
> No upstream bug yet.  Should I file one?

Yes, feel free to do so while respecting current embargo dates.
Comment 9 Tomas Hoger 2008-01-02 15:46:18 UTC 
Created attachment 290666 [details]
Alternate patch proposed by Matthieu Herrb

Uses Fopen (fopen that drops privileges) and Fclose.
Comment 12 Yan Tian 2008-01-15 08:51:59 UTC 
Verified the patch of comment #9 was included in xorg-x11-6.8.2-1.EL.33.0.1.src.rpm.
Comment 16 Josh Bressers 2008-01-17 14:41:53 UTC 
Lifting embargo:
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html
Comment 18 Fedora Update System 2008-01-22 15:31:34 UTC 
xorg-x11-server-1.3.0.0-39.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2008-01-22 15:49:05 UTC 
xorg-x11-server-1.3.0.0-15.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Red Hat Product Security 2008-01-22 19:42:07 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0031.html
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0831
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0760
Note You need to log in before you can comment on or make changes to this bug.