Gentoo Bug 185660 - x11-apps/xfs < 1.0.4-r1 chmod race condition (CVE-2007-3103)

Description:

Opened: 2007-07-17 14:55 0000

It seems that x11-apps/xfs-1.0.4 is vulnerable to this race condition.

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903
http://www.securityfocus.com/archive/1/473514

Reproducible: Always

Steps to Reproduce:

------- Comment #1 From Jonathan Smith 2007-07-17 15:10:58 0000 -------

the vulnerability was in redhat's initscript. we don't ship redhat's
initscript. further, an examination of our own initscript shows that we do not
chown anything root:root in a racey way, so i'd say this is Not Our Bug (tm).

------- Comment #2 From Matt Fleming (RETIRED) 2007-07-17 15:32:31 0000 -------

Bah, sorry, I meant chmod, not chown. This is from the file /etc/init.d/xfs,


        ebegin "Starting X Font Server"
        if [ "`grep -e "^xfs:" /etc/passwd`" ] ; then
                # Fix possible security problem, turned to hard failure in
6.8.0
                # See discussion at
http://freedesktop.org/bugzilla/show_bug.cgi?id=306
                rm -rf /tmp/.font-unix
                mkdir /tmp/.font-unix
                chmod 1777 /tmp/.font-unix

------- Comment #3 From Michael A. Smith 2007-07-17 16:12:34 0000 -------

At least this: 

mkdir /tmp/.font-unix

Could innocuously enough be improved to something like this: 

mkdir /tmp/.font-unix || {
  eerror "Failed to create temporary directory"
  exit 1
}

------- Comment #4 From Pierre-Yves Rofes 2007-07-26 12:03:06 0000 -------

x11, what's the status here? is there something to do? please advise.

------- Comment #5 From Donnie Berkholz 2007-07-27 17:29:49 0000 -------

We should probably make a change similar to
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903#c5 -- as mentioned,
it's a very weak exploit. But if someone slips in after the 'rm -rf' but before
the 'chmod' while the service is being (re)started, there's an opportunity.

------- Comment #6 From Pierre-Yves Rofes 2007-09-15 21:16:01 0000 -------

(In reply to comment #5)
> We should probably make a change [...]

err, what's that supposed to mean actually? :) 
Are you willing to change the script or not?

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-09-24 16:25:13 0000 -------

Any news on this one?

------- Comment #8 From Donnie Berkholz 2007-09-30 08:22:00 0000 -------

Fixed in 1.0.4-r1.

------- Comment #9 From Pierre-Yves Rofes 2007-09-30 09:56:48 0000 -------

great, thanks.
Arches ,please test and mark stable x11-apps/xfs-1.0.4-r1.
Target "alpha amd64 arm hppa mips ppc ppc64 s390 sh sparc x86"

------- Comment #10 From Markus Meier 2007-09-30 12:34:37 0000 -------

x86 stable

------- Comment #11 From Markus Rothe 2007-09-30 13:58:01 0000 -------

ppc64 stable

------- Comment #12 From Tobias Scherbaum 2007-09-30 19:04:28 0000 -------

ppc stable

------- Comment #13 From Joshua Kinard 2007-10-01 01:43:02 0000 -------

mips stable.

------- Comment #14 From Raúl Porcel 2007-10-01 13:20:22 0000 -------

alpha/sparc stable

------- Comment #15 From Jeroen Roovers 2007-10-01 14:51:18 0000 -------

Stable for HPPA.

------- Comment #16 From Steve Dibb 2007-10-04 14:20:13 0000 -------

amd64 stable

------- Comment #17 From Tobias Heinlein 2007-10-04 23:02:09 0000 -------

Last supported arch done, ready for vote.

------- Comment #18 From Pierre-Yves Rofes 2007-10-06 13:37:42 0000 -------

voting yes, let's combine it with bug #194606

------- Comment #19 From Robert Buchholz 2007-10-11 21:04:32 0000 -------

Voting yes, it's hard to exploit, but with critical impact. GLSA request with
#194606 filed.

------- Comment #20 From Matt Drew 2007-10-11 21:07:45 0000 -------

I vote yes, could conceivably be automated.

------- Comment #21 From Pierre-Yves Rofes 2007-10-12 21:54:46 0000 -------

GLSA 200710-11, sorry for the delay.

Bug 185660 depends on:			Show dependency tree
Bug 185660 blocks:			Show dependency tree

Bugzilla Bug 185660

x11-apps/xfs < 1.0.4-r1 chmod race condition (CVE-2007-3103)

Last modified: 2008-01-10 08:58:30 0000