Summary: | x11-apps/xfs < 1.0.4-r1 chmod race condition (CVE-2007-3103) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matt Fleming (RETIRED) <mjf> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | x11 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matt Fleming (RETIRED)
2007-07-17 14:55:58 UTC
the vulnerability was in redhat's initscript. we don't ship redhat's initscript. further, an examination of our own initscript shows that we do not chown anything root:root in a racey way, so i'd say this is Not Our Bug (tm). Bah, sorry, I meant chmod, not chown. This is from the file /etc/init.d/xfs, ebegin "Starting X Font Server" if [ "`grep -e "^xfs:" /etc/passwd`" ] ; then # Fix possible security problem, turned to hard failure in 6.8.0 # See discussion at http://freedesktop.org/bugzilla/show_bug.cgi?id=306 rm -rf /tmp/.font-unix mkdir /tmp/.font-unix chmod 1777 /tmp/.font-unix At least this: mkdir /tmp/.font-unix Could innocuously enough be improved to something like this: mkdir /tmp/.font-unix || { eerror "Failed to create temporary directory" exit 1 } x11, what's the status here? is there something to do? please advise. We should probably make a change similar to http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903#c5 -- as mentioned, it's a very weak exploit. But if someone slips in after the 'rm -rf' but before the 'chmod' while the service is being (re)started, there's an opportunity. (In reply to comment #5) > We should probably make a change [...] err, what's that supposed to mean actually? :) Are you willing to change the script or not? Any news on this one? Fixed in 1.0.4-r1. great, thanks. Arches ,please test and mark stable x11-apps/xfs-1.0.4-r1. Target "alpha amd64 arm hppa mips ppc ppc64 s390 sh sparc x86" x86 stable ppc64 stable ppc stable mips stable. alpha/sparc stable Stable for HPPA. amd64 stable Last supported arch done, ready for vote. voting yes, let's combine it with bug #194606 Voting yes, it's hard to exploit, but with critical impact. GLSA request with #194606 filed. I vote yes, could conceivably be automated. GLSA 200710-11, sorry for the delay. |