It seems that x11-apps/xfs-1.0.4 is vulnerable to this race condition. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903 http://www.securityfocus.com/archive/1/473514 Reproducible: Always Steps to Reproduce:
the vulnerability was in redhat's initscript. we don't ship redhat's initscript. further, an examination of our own initscript shows that we do not chown anything root:root in a racey way, so i'd say this is Not Our Bug (tm).
Bah, sorry, I meant chmod, not chown. This is from the file /etc/init.d/xfs, ebegin "Starting X Font Server" if [ "`grep -e "^xfs:" /etc/passwd`" ] ; then # Fix possible security problem, turned to hard failure in 6.8.0 # See discussion at http://freedesktop.org/bugzilla/show_bug.cgi?id=306 rm -rf /tmp/.font-unix mkdir /tmp/.font-unix chmod 1777 /tmp/.font-unix
At least this: mkdir /tmp/.font-unix Could innocuously enough be improved to something like this: mkdir /tmp/.font-unix || { eerror "Failed to create temporary directory" exit 1 }
x11, what's the status here? is there something to do? please advise.
We should probably make a change similar to http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903#c5 -- as mentioned, it's a very weak exploit. But if someone slips in after the 'rm -rf' but before the 'chmod' while the service is being (re)started, there's an opportunity.
(In reply to comment #5) > We should probably make a change [...] err, what's that supposed to mean actually? :) Are you willing to change the script or not?
Any news on this one?
Fixed in 1.0.4-r1.
great, thanks. Arches ,please test and mark stable x11-apps/xfs-1.0.4-r1. Target "alpha amd64 arm hppa mips ppc ppc64 s390 sh sparc x86"
x86 stable
ppc64 stable
ppc stable
mips stable.
alpha/sparc stable
Stable for HPPA.
amd64 stable
Last supported arch done, ready for vote.
voting yes, let's combine it with bug #194606
Voting yes, it's hard to exploit, but with critical impact. GLSA request with #194606 filed.
I vote yes, could conceivably be automated.
GLSA 200710-11, sorry for the delay.