Red Hat Bugzilla – Bug 499234
CVE-2009-1573 xvfb-run insecurely displays mcookie value
Last modified: 2013-05-08 13:56:46 EDT
A Debian bug report  indicates that the mcookie value is passed to xauth as a command-line argument in the xvfb-run script, which makes it possible to see through process listing. This is due to:
157 # Start Xvfb.
159 XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
160 >"$ERRORFILE" 2>&1
The reporter suggests using the "xauth source -" command instead, and writing the commands to a file for xauth to read. The xvfb-run script was first introduced in Fedora 10, so only Fedora 10 and Fedora 11 are affected.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1573 to
the following vulnerability:
Reference: MLIST:[oss-security] 20090505 CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/2
Reference: MLIST:[oss-security] 20090505 Re: CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/4
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678
xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly
other operating systems place the magic cookie (MCOOKIE) on the
command line, which allows local users to gain privileges by listing
the process and its arguments.
This is still an issue in Fedora 12, so this still affects 10, 11, and 12.
This was corrected in xorg-x11-server-1.9.0-9.fc14.