Bug 499234 - (CVE-2009-1573) CVE-2009-1573 xvfb-run insecurely displays mcookie value
CVE-2009-1573 xvfb-run insecurely displays mcookie value
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=debian,reported=200...
: Security
Depends On: 544036 549895 632879
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-05 13:40 EDT by Vincent Danen
Modified: 2013-05-08 13:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 13:56:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-05-05 13:40:09 EDT
A Debian bug report [1] indicates that the mcookie value is passed to xauth as a command-line argument in the xvfb-run script, which makes it possible to see through process listing.  This is due to:

157 # Start Xvfb.
158 MCOOKIE=$(mcookie)
159 XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
160   >"$ERRORFILE" 2>&1

The reporter suggests using the "xauth source -" command instead, and writing the commands to a file for xauth to read.  The xvfb-run script was first introduced in Fedora 10, so only Fedora 10 and Fedora 11 are affected.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678
Comment 1 Vincent Danen 2009-05-06 18:00:29 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1573 to
the following vulnerability:

Name: CVE-2009-1573
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1573
Assigned: 20090506
Reference: MLIST:[oss-security] 20090505 CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/2
Reference: MLIST:[oss-security] 20090505 Re: CVE id request: Debian/Ubuntu specific issue in xvfb-run (xorg)
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/05/4
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678

xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly
other operating systems place the magic cookie (MCOOKIE) on the
command line, which allows local users to gain privileges by listing
the process and its arguments.
Comment 3 Vincent Danen 2009-12-03 13:53:28 EST
This is still an issue in Fedora 12, so this still affects 10, 11, and 12.
Comment 5 Vincent Danen 2013-05-08 13:56:46 EDT
This was corrected in xorg-x11-server-1.9.0-9.fc14.

Note You need to log in before you can comment on or make changes to this bug.