Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185660 - x11-apps/xfs < 1.0.4-r1 chmod race condition (CVE-2007-3103)
Summary: x11-apps/xfs < 1.0.4-r1 chmod race condition (CVE-2007-3103)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3? [glsa]
Depends on:
Reported: 2007-07-17 14:55 UTC by Matt Fleming (RETIRED)
Modified: 2008-01-10 08:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-07-17 14:55:58 UTC
It seems that x11-apps/xfs-1.0.4 is vulnerable to this race condition.

Reproducible: Always

Steps to Reproduce:
Comment 1 Jonathan Smith (RETIRED) gentoo-dev 2007-07-17 15:10:58 UTC
the vulnerability was in redhat's initscript. we don't ship redhat's initscript. further, an examination of our own initscript shows that we do not chown anything root:root in a racey way, so i'd say this is Not Our Bug (tm).
Comment 2 Matt Fleming (RETIRED) gentoo-dev 2007-07-17 15:32:31 UTC
Bah, sorry, I meant chmod, not chown. This is from the file /etc/init.d/xfs,

        ebegin "Starting X Font Server"
        if [ "`grep -e "^xfs:" /etc/passwd`" ] ; then
                # Fix possible security problem, turned to hard failure in 6.8.0
                # See discussion at
                rm -rf /tmp/.font-unix
                mkdir /tmp/.font-unix
                chmod 1777 /tmp/.font-unix
Comment 3 2007-07-17 16:12:34 UTC
At least this: 

mkdir /tmp/.font-unix

Could innocuously enough be improved to something like this: 

mkdir /tmp/.font-unix || {
  eerror "Failed to create temporary directory"
  exit 1
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-26 12:03:06 UTC
x11, what's the status here? is there something to do? please advise.
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2007-07-27 17:29:49 UTC
We should probably make a change similar to -- as mentioned, it's a very weak exploit. But if someone slips in after the 'rm -rf' but before the 'chmod' while the service is being (re)started, there's an opportunity.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-15 21:16:01 UTC
(In reply to comment #5)
> We should probably make a change [...]

err, what's that supposed to mean actually? :) 
Are you willing to change the script or not?
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-24 16:25:13 UTC
Any news on this one?
Comment 8 Donnie Berkholz (RETIRED) gentoo-dev 2007-09-30 08:22:00 UTC
Fixed in 1.0.4-r1.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-30 09:56:48 UTC
great, thanks.
Arches ,please test and mark stable x11-apps/xfs-1.0.4-r1.
Target "alpha amd64 arm hppa mips ppc ppc64 s390 sh sparc x86"
Comment 10 Markus Meier gentoo-dev 2007-09-30 12:34:37 UTC
x86 stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2007-09-30 13:58:01 UTC
ppc64 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-30 19:04:28 UTC
ppc stable
Comment 13 Joshua Kinard gentoo-dev 2007-10-01 01:43:02 UTC
mips stable.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2007-10-01 13:20:22 UTC
alpha/sparc stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-01 14:51:18 UTC
Stable for HPPA.
Comment 16 Steve Dibb (RETIRED) gentoo-dev 2007-10-04 14:20:13 UTC
amd64 stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-04 23:02:09 UTC
Last supported arch done, ready for vote.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-06 13:37:42 UTC
voting yes, let's combine it with bug #194606
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2007-10-11 21:04:32 UTC
Voting yes, it's hard to exploit, but with critical impact. GLSA request with #194606 filed.
Comment 20 Matt Drew (RETIRED) gentoo-dev 2007-10-11 21:07:45 UTC
I vote yes, could conceivably be automated.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-12 21:54:46 UTC
GLSA 200710-11, sorry for the delay.