Created attachment 289761 [details, diff] xorg-cve-2011-4028+4029.patch ** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** vladz reported the following two issues to the linux-distros security mailing list: Disclosure of file existence (CVE-2011-4028) [A4] ------------------------------------------------- "When launched with root privileges, Xorg allows the non-root user to deduce if a file exists or not by using a file existence disclosure vulnerability. If a non-root user want to know is a file exists in a non-readable directory (for example "/root"). He will first create a symbolic link "/tmp/.X1-lock" that point to the target file (let say "/root/file") and starts Xorg on an unused display. Xorg will then have different behaviors depending on the target file existence and type: - If it does not exist, Xorg will immediately stop with the fatal message: "Can't read lock file /tmp/.X1-lock" - If it exists, Xorg will immediately stop with the fatal message: "Server is already active for display 1 If this server is no longer running, remove /tmp/.X1-lock and start again." - If it exists AND is a directory, Xorg removes the link and starts - If it exists AND is a fifo, Xorg gets stuck" File content disclosure (CVE-2011-4029) [A3] -------------------------------------------- Xorg uses chmod(2) to modify the permissions of its lockfiles /tmp/.Xn-lock (with n being the display number). This behavior is prone to a race condition in which it can be replaced with a symbolic link to the file the attacker wants to make world-readable. I'm attaching a patch for both issues. chithanh, please prepare an ebuild using this patch and attach it to this bug. Do NOT commit any files to CVS. We'll do prestabling afterwards on this bug. Current CRD is October 18, 1400 UTC
Created attachment 289769 [details] xorg-server-1.10.4-r1.ebuild
Created attachment 289771 [details] xorg-server-1.9.5-r1.ebuild
Arch Security Liaisons, please test the attached ebuilds and report them stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
HPPA is OK.
AMD64 signs off on both versions.
This is now public as per $URL. chithanh, you can now commit the ebuilds with amd64 and hppa stable.
18 Oct 2011; Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> +xorg-server-1.9.5-r1.ebuild, +xorg-server-1.10.4-r1.ebuild, +xorg-server-1.11.1-r1.ebuild, +files/xorg-cve-2011-4028+4029.patch: Add patch for security bug #387069. Arches, please test and mark stable: =x11-base/xorg-server-1.9.5-r1 =x11-base/xorg-server-1.10.4-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" Already stable : "amd64 hppa" Missing keywords: "alpha arm ia64 ppc ppc64 sh sparc x86"
works for me on x86
(removing this space from the summary helps my batch stabilization tool; feel free to contact me about this off-bugzilla, especially if you generate the summary in an automated way)
x86 stable
alpha/arm/ia64/sh/sparc stable
ppc/ppc64 stable, last arch done
This issue was resolved and addressed in GLSA 201110-19 at http://security.gentoo.org/glsa/glsa-201110-19.xml by GLSA coordinator Alex Legler (a3li).
CVE-2011-4029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4029): The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file. CVE-2011-4028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4028): The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to determine the existence of arbitrary files via a symlink attack on a temporary lock file, which is handled differently if the file exists.