sddm passes the -auth and -displayfd command line arguments when starting the Xserver. It then waits for the display number to be received from the Xserver via the `displayfd`, before the Xauthority file specified via the `-auth` parameter is actually written. This results in a race condition, creating a time window in which no valid Xauthority file is existing while the Xserver is already running. The X.Org server, when encountering a non-existing, empty or corrupt/incomplete Xauthority file, will grant any connecting client access to the Xorg display [2]. A local unprivileged attacker can thus create an unauthorized connection to the Xserver and grab e.g. keyboard input events from other legitimate users accessing the Xserver. Reference: https://www.openwall.com/lists/oss-security/2020/11/04/2
Created sddm tracking bugs for this issue: Affects: epel-all [bug 1894659] Affects: fedora-all [bug 1894658]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.