I just found this gem in GDM, in daemon/slave.c: if (seteuid (pwent->pw_uid) == 0 && access (".ICEauthority", F_OK) == 0) { /* sanitize .ICEauthority to be of the correct * permissions, if it exists */ struct stat s; if (stat (home_dir, &s) == 0 && s.st_uid == pwent->pw_uid && stat (".ICEauthority", &s) && S_ISREG (s.st_mode) && (s.st_uid != pwent->pw_uid || s.st_gid != pwent->pw_gid || (s.st_mode & (S_IRWXG|S_IRWXO)))) { /* This may not work on NFS, but oh well, there * this is beyond our help, but it's unlikely * that it got screwed up when NFS was used * in the first place */ seteuid (0); /* only if we own the current directory */ chown (".ICEauthority", pwent->pw_uid, pwent->pw_gid); chmod (".ICEauthority", S_IRUSR | S_IWUSR); which is of course racy and buggy (between access() and stat()) and can lead to local privilege escalation (just symlink to a cron script or similar). Online link: http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?rev=1.320&view=markup It was introduced by this patch: http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.260&r2=1.261 for GDM version 2.6.0.8. The correct way would be to open(), fstat(), compare with lstat() result, then fchown() / fchmod() (I think). Or why not just unlink(".ICEauthority") if it is fishy in any way and let the next program using it set it up again?
Above reported by Marcus Meissner from SUSE.
Created attachment 84189 [details, diff] Proposed upstream patch
Saleem please be prepared to provide a quick update on this one or CC another from the gnome team. The attached patch is not final so you might want to wait some hours before doing anything. So just consider this as a notification. Also note that unless the code is present in upstream CVS it cannot yet be committed to Portage. Instead attach any ebuild changes to this bug.
g_stat (".ICEauthority", &s) && should be (g_stat (".ICEauthority", &s) == 0) && CCing Leonardo since Saleem didn't respond.
Created attachment 84367 [details, diff] gdm-CVE-2006-1057.patch Patch from CVS + suggestion from comment #4, which seems to be right as far as I can tell
Ebuild changes: ---- --- gdm-2.14.0.ebuild 2006-03-17 18:43:37.000000000 -0500 +++ gdm-2.14.0-r1.ebuild 2006-04-10 09:36:11.000000000 -0500 @@ -96,6 +96,9 @@ # Fix missing intllib epatch ${FILESDIR}/${PN}-2.13.0.7-gdm-dmx-intllibs.patch + + # Unlink ~/.ICEauthority instead of trying to chown/chmod it (bug #129151) + epatch ${FILESDIR}/${PN}-CVE-2006-1057.patch gnome2_omf_fix docs/*/Makefile.in docs/Makefile.in } ---- Let us know if it's OK to commit and unmask (it's in p.mask along with the rest of GNOME 2.14, but I think gdm could be removed without hassle since it doesn't depend on other masked ebuilds). Thanks.
Created attachment 84407 [details, diff] gdm-2.8.0.7-user-must-own-iceauthority.patch New upstream patch that also fixes: https://bugzilla.novell.com/show_bug.cgi?id=162952 Which I'm not able to see.
A fixed 2.14.1 tarball should be released any minute now. When it does you're free to commit and call arches. If it is not available by tomorrow morning I'll call Arch Security Liaisons to test this patched version.
gdm-2.8.0.7-r1.ebuild and gdm-2.14.1.ebuild have been commited, both including the fix from upstream. gdm-2.8.0.7-r1 is the version to be marked stable by the arch teams; gdm-2.14.1 is still hardmasked along with the rest of GNOME 2.14. Thanks.
There seems to be some discussion wether this is exploitable or not. To be on the safe side I'm calling arches now.
stable on ppc64
stable on alpha.
amd64 done
This SPARC ebuild SPARC has SPARC been SPARC marked SPARC stable SPARC on SPARC SPARC. Please SPARC drive SPARC through SPARC. Thank SPARC you.
gdm-2.8.0.7-r1 [-debug +ipv6 +pam (-selinux) +tcpd -xinerama] seems to work fine on x86. For testing i've done a few logins and configuration changes. Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.inode.at/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
x86 is done
stable on hppa
stable on mips
PPC please test and mark stable security: we must make our minds if this is really exploitable or not : should we issue a GLSA ?
ppc stable
I tend to vote NO, unless someone determines that is indeed exploitable.
*** Bug 130715 has been marked as a duplicate of this bug. ***
See Impact=Low at URL. I tend to vote no, especially since nobody else released something here.
as for http://www.securityfocus.com/bid/17635 , it seems not really dangerous. i vote No.
Voting full NO and closing. Feel free to reopen if you disagree.
i suggest to reopen it because of a regression : http://bugzilla.gnome.org/show_bug.cgi?id=340347 , thanks to jaervosz for the link. The patch below has just been applied to 2.14 and cvs head branches diff -u -p -r1.325 slave.c --- daemon/slave.c 14 Apr 2006 17:53:51 -0000 1.325 +++ daemon/slave.c 1 May 2006 21:13:13 -0000 @@ -3543,6 +3543,7 @@ session_child_run (struct passwd *pwent, close (iceauth_fd); } + NEVER_FAILS_setegid (pwent->pw_gid); #ifdef HAVE_LOGINCAP if (setusercontext (NULL, pwent, pwent->pw_uid, LOGIN_SETLOGIN | LOGIN_SETPATH | Leonardo or another, please can you repair this, thanks.
Leonardo please advise and patch as necessary.
Note: this isn't a vulnerability per se, just an impact booster (if there is a vuln in gdm it will potentially have bigger impact) so no GLSA over the fix. Moving to default configs.
I've added gdm-2.14.5 to the tree. Note however that this problem only affected gdm-2.14.4, which was never in the tree, so we haven't been affected by this.
Thx Leonardo. I'll just reclose this one.
*** Bug 132971 has been marked as a duplicate of this bug. ***
