Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 362185 (CVE-2011-0465)

Summary: <x11-apps/xrdb-1.0.9 hostname command injection (CVE-2011-0465)
Product: Gentoo Security Reporter: Tomáš Chvátal (RETIRED) <scarabeus>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: x11
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---

Description Tomáš Chvátal (RETIRED) gentoo-dev 2011-04-05 17:15:55 UTC
Xrdb <1.0.9 contains possible root hole via rouge hostname.

Filled as CVE-2011-0465.

More onto the issue (copied from announce mail):

Overview
--------

By crafting hostnames with shell escape characters, arbitrary commands
can be executed in a root environment when a display manager reads in
the resource database via xrdb.

These specially crafted hostnames can occur in two environments:

  * Hosts that set their hostname via DHCP
  * Hosts that allow remote logins via xdmcp


Impact
------

Arbitrary (short) commands can be executed as root on affected hosts.
With some display managers a working login is required (resource
database is read upon login), with others no working login is required
(resource database is read upon display manager start as well).

Only systems are affected that

 1) set their hostname via DHCP, and the used DHCP client allows setting
    of hostnames with illegal characters
or

 2) allow remote logins via xdmcp


1) requires either physical access to the network, or administrative
   access to the running DHCP server.
2) does not require physical access, if a regular account on a machine
   accepted by xdmcp is available, but describes a case that is
   considered insecure nowadays.


@archies: please proceed with stabilisation.

@security: not sure what else you need to do with the bug so please pick yourself.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-05 17:57:39 UTC
(In reply to comment #0)
> 
> @security: not sure what else you need to do with the bug so please pick
> yourself.

Thank you; got it.
Comment 2 Agostino Sarubbo gentoo-dev 2011-04-05 20:58:02 UTC
amd64 ok
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-07 17:06:10 UTC
Arch teams, please test and mark stable:
=x11-apps/xrdb-1.0.9
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"


(Adding a bit of boilerplate.)
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-08 15:20:18 UTC
Stable for HPPA.
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-04-08 17:54:42 UTC
x86 stable, thanks.
Comment 6 Markus Meier gentoo-dev 2011-04-09 12:19:14 UTC
arm stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-04-09 13:59:48 UTC
alpha/ia64/s390/sh/sparc stable
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2011-04-09 21:25:46 UTC
amd64 stable
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-11 17:42:43 UTC
ppc/ppc64 stable, last arch done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-04-11 18:40:25 UTC
Thanks, everyone. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:30:56 UTC
CVE-2011-0465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465):
  xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote
  attackers to execute arbitrary commands via shell metacharacters in a
  hostname obtained from a (1) DHCP or (2) XDMCP message.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:41 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).