A time-of-check, time-of-use (TOCTOU) race condition was found in the way X.Org X11 X server performed management of temporary lock files. After opening the temporary lock file for writing, the X.Org X11 X server did not recheck if the originally opened file still refers to the same file on disc prior relaxing permissions on the file. A local attacker could use this flaw to conduct symlink attacks (involving the X.Org X11 X server temporary lock file instance) and set the read permissions for all users on any file or directory, leading to disclosure of sensitive information.
For the exploit to succeed the local attacker needs to be able to run the X.Org X11 X server.
Red Hat would like to thank researcher with a nickname vladz for reporting this issue.
Created attachment 528781 [details]
Proposed X.Org X11 server upstream patch for CVE-2011-4029 issue
This issue is now public. The following commit corrects the problem upstream:
This issue affects the current version (xorg-x11-server-Xorg-1.10.4-1.fc15.*) of the xorg-x11-server package, as shipped with Fedora release of 15. Please schedule an update.
This issue does NOT affect the current version (xorg-x11-server-Xorg-1.11.4-1.fc16) of the xorg-x11-server package, as shipped with Fedora release of 16. The deficiency in this version is corrected already.
Created xorg-x11-server tracking bugs for this issue
Affects: fedora-15 [bug 799349]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:0939 https://rhn.redhat.com/errata/RHSA-2012-0939.html