219750 – x11-terms/mrxvt < 0.5.3-r2 X11 Display Security Issue (CVE-2008-1142)

Bug 219750 - x11-terms/mrxvt < 0.5.3-r2 X11 Display Security Issue (CVE-2008-1142)

Summary: x11-terms/mrxvt < 0.5.3-r2 X11 Display Security Issue (CVE-2008-1142)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/29576
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-04-29 19:28 UTC by Matt Fleming (RETIRED)
Modified:	2008-05-07 18:59 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch fixing the security issue (mrxvt-0.5.3-display-security.patch,1.91 KB, patch) 2008-04-29 20:50 UTC, Gautam Iyer	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Fleming (RETIRED) gentoo-dev

2008-04-29 19:28:46 UTC

mrxvt-0.5.3 is vulnerable to the same X11 Display issue as rxvt,

"The security issue is caused due to the program using ":0" as it's X11 display
if the DISPLAY environment variable is missing. This can be exploited to
execute arbitrary commands with the privileges of the user running rxvt via a
malicious X server."

rxvt bug #217819

Comment 1 Matt Fleming (RETIRED) gentoo-dev

2008-04-29 19:29:45 UTC

Setting whiteboard and cc.

Comment 2 Krzysztof Pawlik (RETIRED) gentoo-dev

2008-04-29 19:40:46 UTC

Adding Gautam Iyer, as he is an upstream for mrxvt and has account here.

Gautam: could you check out the patch in bug #217819 and provide new version of mrxvt?

Comment 3 Gautam Iyer 2008-04-29 20:50:15 UTC

Created attachment 151368 [details, diff]
Patch fixing the security issue

Here's the patch (now in SVN).

This patch will have (almost) no effect unless the LOCAL_X_IS_UNIX flag is defined in src/feature.h. When this flag is defined, mrxvt will force a "unix:" to be prepended to (local) display strings passed to the X server.

If this flag is not defined, then mrxvt will use the -display option unchanged, or pass NULL to XOpenDisplay(), letting the server get the display from the environment. (If display is undefined, mrxvt will exit). This is what happens with most X programs on my currently installed Gentoo laptop.

I'm a little reluctant to #define LOCAL_X_IS_UNIX by default. It might break something for someone. Would it be possible for you to #define LOCAL_X_IS_UNIX based on some USE flag? I don't know if "hardened" is appropriate, since that doesn't necessarily mean that the X server will like "unix:0.0" displays. I also notice that most other X programs don't care about this. (They either pass NULL, or the display option verbatim to XOpenDisplay() ).

GI

Comment 4 Krzysztof Pawlik (RETIRED) gentoo-dev

2008-04-30 07:02:04 UTC

(In reply to comment #3)
> Here's the patch (now in SVN).

Great :) Thank you for fast response.

> I'm a little reluctant to #define LOCAL_X_IS_UNIX by default. It might break
> something for someone. Would it be possible for you to #define LOCAL_X_IS_UNIX
> based on some USE flag? I don't know if "hardened" is appropriate, since that
> doesn't necessarily mean that the X server will like "unix:0.0" displays. I
> also notice that most other X programs don't care about this. (They either pass
> NULL, or the display option verbatim to XOpenDisplay() ).

I have left it undefined for now. That way mrxvt will rely on X server to take care of DISPLAY string, so if user wants to shoot his foot he can do it.


Security: x11-terms/mrxvt-0.5.3-r2 added to the tree, target KEYWORDS="alpha amd64 ~mips ppc x86", as 0.5.3-r2 has only the above patch in comparison with 0.5.2-r1 the stabilization should be an easy one.

Testing procedure:
 * open xterm
 * start mrxvt from xterm - should open on same display
 * unset DISPLAY in xterm
 * try to start mrxvt, it should fail with: "Error opening display (null)"

Comment 5 Gautam Iyer 2008-04-30 07:37:17 UTC

(In reply to comment #4)
>> I'm a little reluctant to #define LOCAL_X_IS_UNIX by default. It
>> might break something for someone. Would it be possible for you to
>> #define LOCAL_X_IS_UNIX based on some USE flag? I don't know if
>> "hardened" is appropriate, since that doesn't necessarily mean that
>> the X server will like "unix:0.0" displays. I also notice that most
>> other X programs don't care about this. (They either pass NULL, or
>> the display option verbatim to XOpenDisplay() ).
> 
> I have left it undefined for now. That way mrxvt will rely on X server to take
> care of DISPLAY string, so if user wants to shoot his foot he can do it.

Ok. I realize that the original reporter meant something slightly
different: If DISPLAY is unset (or unusable) then mrxvt used to connect
to :0.0 by default. Thus if you have a malicious X server, it can fool
the user into connecting to the wrong one.

It didn't seem much of an issue to me. X server's are usually suid root.
They don't need to fool anyone into connecting to do something
malicious...

Either way, this is not an issue now. 

> Security: x11-terms/mrxvt-0.5.3-r2 added to the tree, target KEYWORDS="alpha
> amd64 ~mips ppc x86", as 0.5.3-r2 has only the above patch in comparison with
> 0.5.2-r1 the stabilization should be an easy one.

Thanks for the updated ebuild,

GI

Comment 6 Christian Hoffmann (RETIRED) gentoo-dev

2008-05-03 13:55:27 UTC

Arches, please test and mark stable (as noted in comment #4)
x11-terms/mrxvt-0.5.3-r2
Target keywords: alpha amd64 ~mips ppc x86
Already stabled: amd64

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-03 15:41:54 UTC

x86 stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2008-05-04 09:48:12 UTC

alpha stable

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2008-05-06 17:38:22 UTC

ppc stable

Comment 10 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-07 18:59:39 UTC

GLSA 200805-03