Bug 795853 (CVE-2012-0871) - CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Summary: CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Alias: CVE-2012-0871
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 799086
Blocks: 795857
TreeView+ depends on / blocked
Reported: 2012-02-21 16:28 UTC by Vincent Danen
Modified: 2023-05-11 18:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-03-22 12:38:29 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Novell 747154 0 None None None Never

Description Vincent Danen 2012-02-21 16:28:44 UTC
Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way.  systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory.  Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d.  This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0).  Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions.


Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Comment 1 Vincent Danen 2012-02-21 16:42:08 UTC
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective.


Comment 4 Stefan Cornelius 2012-03-01 09:38:36 UTC
This is public now:

Comment 6 Tomas Hoger 2012-03-01 12:49:17 UTC
SUSE bug report:

Comment 9 Stefan Cornelius 2012-03-01 18:37:31 UTC
Created systemd tracking bugs for this issue

Affects: fedora-all [bug 799086]

Comment 14 Fedora Update System 2012-03-11 23:20:30 UTC
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.