Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387069 (CVE-2011-4028) - <x11-base/xorg-server-{1.9.5-r1,1.10.4-r1} Lockfile handling vulnerabilities (CVE-2011-{4028,4029})
Summary: <x11-base/xorg-server-{1.9.5-r1,1.10.4-r1} Lockfile handling vulnerabilities ...
Status: RESOLVED FIXED
Alias: CVE-2011-4028
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.freedesktop.org/archives...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-13 20:51 UTC by Alex Legler (RETIRED)
Modified: 2012-07-12 00:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
xorg-cve-2011-4028+4029.patch (xorg-cve-2011-4028+4029.patch,671 bytes, patch)
2011-10-13 20:51 UTC, Alex Legler (RETIRED)
no flags Details | Diff
xorg-server-1.10.4-r1.ebuild (xorg-server-1.10.4-r1.ebuild,6.96 KB, text/plain)
2011-10-13 23:13 UTC, Chí-Thanh Christopher Nguyễn
no flags Details
xorg-server-1.9.5-r1.ebuild (xorg-server-1.9.5-r1.ebuild,7.67 KB, text/plain)
2011-10-13 23:14 UTC, Chí-Thanh Christopher Nguyễn
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-13 20:51:36 UTC
Created attachment 289761 [details, diff]
xorg-cve-2011-4028+4029.patch

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

vladz reported the following two issues to the linux-distros security mailing list:

Disclosure of file existence (CVE-2011-4028) [A4]
-------------------------------------------------
"When launched with root privileges, Xorg allows the non-root user to deduce
if a file exists or not by using a file existence disclosure vulnerability.

If a non-root user want to know is a file exists in a non-readable
directory (for example "/root").  He will first create a symbolic link
"/tmp/.X1-lock" that point to the target file (let say "/root/file") and
starts Xorg on an unused display.  Xorg will then have different behaviors 
depending on the target file existence and type:

  - If it does not exist, Xorg will immediately stop with the fatal message:
    "Can't read lock file /tmp/.X1-lock"

  - If it exists, Xorg will immediately stop with the fatal message:
    "Server is already active for display 1
        If this server is no longer running, remove /tmp/.X1-lock
        and start again."

  - If it exists AND is a directory, Xorg removes the link and starts

  - If it exists AND is a fifo, Xorg gets stuck"

File content disclosure (CVE-2011-4029) [A3]
--------------------------------------------
Xorg uses chmod(2) to modify the permissions of its lockfiles /tmp/.Xn-lock (with n being the display number). This behavior is prone to a race condition in which it can be replaced with a symbolic link to the file the attacker wants to make world-readable.

I'm attaching a patch for both issues.
chithanh, please prepare an ebuild using this patch and attach it to this bug. Do NOT commit any files to CVS. We'll do prestabling afterwards on this bug.

Current CRD is October 18, 1400 UTC
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2011-10-13 23:13:34 UTC
Created attachment 289769 [details]
xorg-server-1.10.4-r1.ebuild
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2011-10-13 23:14:06 UTC
Created attachment 289771 [details]
xorg-server-1.9.5-r1.ebuild
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-13 23:24:15 UTC
Arch Security Liaisons, please test the attached ebuilds and report them stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-14 16:56:35 UTC
HPPA is OK.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-10-14 17:19:56 UTC
AMD64 signs off on both versions.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-18 15:07:47 UTC
This is now public as per $URL.

chithanh, you can now commit the ebuilds with amd64 and hppa stable.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-18 17:34:37 UTC
  18 Oct 2011; Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
  +xorg-server-1.9.5-r1.ebuild, +xorg-server-1.10.4-r1.ebuild,
  +xorg-server-1.11.1-r1.ebuild, +files/xorg-cve-2011-4028+4029.patch:
  Add patch for security bug #387069.

Arches, please test and mark stable:
=x11-base/xorg-server-1.9.5-r1
=x11-base/xorg-server-1.10.4-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Already stable  : "amd64 hppa"
Missing keywords: "alpha arm ia64 ppc ppc64 sh sparc x86"
Comment 8 Agostino Sarubbo gentoo-dev 2011-10-19 16:22:56 UTC
works for me on x86
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-21 18:05:08 UTC
(removing this space from the summary helps my batch stabilization tool; feel free to contact me about this off-bugzilla, especially if you generate the summary in an automated way)
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:27:29 UTC
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-10-22 12:08:30 UTC
alpha/arm/ia64/sh/sparc stable
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 16:57:48 UTC
ppc/ppc64 stable, last arch done
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 17:45:27 UTC
This issue was resolved and addressed in
 GLSA 201110-19 at http://security.gentoo.org/glsa/glsa-201110-19.xml
by GLSA coordinator Alex Legler (a3li).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:38:15 UTC
CVE-2011-4029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4029):
  The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows
  local users to change the permissions of arbitrary files to 444, read those
  files, and possibly cause a denial of service (removed execution permission)
  via a symlink attack on a temporary lock file.

CVE-2011-4028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4028):
  The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows
  local users to determine the existence of arbitrary files via a symlink
  attack on a temporary lock file, which is handled differently if the file
  exists.