Red Hat Bugzilla – Bug 391841
CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability
Last modified: 2008-01-31 18:27:22 EST
Following vulnerability in Xorg / XFree86 X servers has been reported to us:
I have found a small vulnerability on Xorg (tested on xorg-x11-server-Xorg
version 1.1.1-48.13.el5) that can be exploited by a malicious user to disclose
the existence of files in directories not accessible by the user.
By looking at the error messages returned when supplying an arbitrary file or
directory in the "X :1 -sp <file>" command, a malicious user can identify the
existence of files and directories in access restricted directories.
If the user receives a "error opening security policy file <file>" the
file/directory is not present on the system.
However, if a "<file>: invalid security policy file version, ignoring file"
error message is returned, the file/directory is present on the system.
Created attachment 288001 [details]
Simple fix, just issue the same error message no matter what the failure mode
No upstream bug yet. Should I file one?
(In reply to comment #4)
> No upstream bug yet. Should I file one?
Yes, feel free to do so while respecting current embargo dates.
Created attachment 290666 [details]
Alternate patch proposed by Matthieu Herrb
Uses Fopen (fopen that drops privileges) and Fclose.
Verified the patch of comment #9 was included in xorg-x11-6.8.2-1.EL.33.0.1.src.rpm.
xorg-x11-server-22.214.171.124-39.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xorg-x11-server-126.96.36.199-15.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: