A Debian bug report [1] indicates that the mcookie value is passed to xauth as a command-line argument in the xvfb-run script, which makes it possible to see through process listing. This is due to: 157 # Start Xvfb. 158 MCOOKIE=$(mcookie) 159 XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \ 160 >"$ERRORFILE" 2>&1 The reporter suggests using the "xauth source -" command instead, and writing the commands to a file for xauth to read. The xvfb-run script was first introduced in Fedora 10, so only Fedora 10 and Fedora 11 are affected. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1573 to the following vulnerability: Name: CVE-2009-1573 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1573 Assigned: 20090506 Reference: MLIST:[oss-security] 20090505 CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg) Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/2 Reference: MLIST:[oss-security] 20090505 Re: CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg) Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/4 Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678 xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems place the magic cookie (MCOOKIE) on the command line, which allows local users to gain privileges by listing the process and its arguments.
This is still an issue in Fedora 12, so this still affects 10, 11, and 12.
This was corrected in xorg-x11-server-1.9.0-9.fc14.