Bug 499234 (CVE-2009-1573) - CVE-2009-1573 xvfb-run insecurely displays mcookie value
Summary: CVE-2009-1573 xvfb-run insecurely displays mcookie value
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 544036 549895 632879
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-05 17:40 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 17:56:46 UTC


Attachments (Terms of Use)

Description Vincent Danen 2009-05-05 17:40:09 UTC
A Debian bug report [1] indicates that the mcookie value is passed to xauth as a command-line argument in the xvfb-run script, which makes it possible to see through process listing.  This is due to:

157 # Start Xvfb.
158 MCOOKIE=$(mcookie)
159 XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
160   >"$ERRORFILE" 2>&1

The reporter suggests using the "xauth source -" command instead, and writing the commands to a file for xauth to read.  The xvfb-run script was first introduced in Fedora 10, so only Fedora 10 and Fedora 11 are affected.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678

Comment 1 Vincent Danen 2009-05-06 22:00:29 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1573 to
the following vulnerability:

Name: CVE-2009-1573
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1573
Assigned: 20090506
Reference: MLIST:[oss-security] 20090505 CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/2
Reference: MLIST:[oss-security] 20090505 Re: CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/4
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678

xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly
other operating systems place the magic cookie (MCOOKIE) on the
command line, which allows local users to gain privileges by listing
the process and its arguments.

Comment 3 Vincent Danen 2009-12-03 18:53:28 UTC
This is still an issue in Fedora 12, so this still affects 10, 11, and 12.

Comment 5 Vincent Danen 2013-05-08 17:56:46 UTC
This was corrected in xorg-x11-server-1.9.0-9.fc14.


Note You need to log in before you can comment on or make changes to this bug.