Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753104 (CVE-2020-28049) - <x11-misc/sddm-0.18.1-r6: Privilege escalation (CVE-2020-28049)
Summary: <x11-misc/sddm-0.18.1-r6: Privilege escalation (CVE-2020-28049)
Status: RESOLVED FIXED
Alias: CVE-2020-28049
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 836603
Blocks: 802306
  Show dependency tree
 
Reported: 2020-11-04 10:47 UTC by Sam James
Modified: 2024-02-03 06:24 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sddm-0.19.0-pam-1.4-substack.patch (sddm-0.19.0-pam-1.4-substack.patch,973 bytes, patch)
2020-11-17 09:39 UTC, Lars Wendler (Polynomial-C) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-04 10:47:41 UTC
"a local privilege escalation has been discovered in the sddm display
manager [1].

sddm passes the -auth and -displayfd command line arguments when
starting the Xserver. It then waits for the display number to be
received from the Xserver via the `displayfd`, before the Xauthority
file specified via the `-auth` parameter is actually written. This
results in a race condition, creating a time window in which no valid
Xauthority file is existing while the Xserver is already running.

The X.Org server, when encountering a non-existing, empty or
corrupt/incomplete Xauthority file, will grant any connecting client
access to the Xorg display [2]. A local unprivileged attacker can thus
create an unauthorized connection to the Xserver and grab e.g. keyboard
input events from other legitimate users accessing the Xserver.

A simple reproducer works like this:

```
# run this from an unpriliged account before sddm is started to exploit
# the race condition and kill the X server
inotifywait /tmp/.X11-unix; while ! xkill; do :; done
```

The security issue was discovered by our SUSE sddm package maintainer
Fabian Vogt. The issue is included in sddm since version 0.12.0 and
was recently fixed in a new upstream release 0.19.0. The upstream commit
fixing this issue is found in [3]. The SUSE bugzilla bug tracking this
issue is found in [4]."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-04 10:49:02 UTC
Patch: https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222.

Please apply or bump to 0.19.0.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-15 09:29:56 UTC
Ping.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-11-17 09:36:13 UTC
We should perhaps wait with a bump to 0.19.0 until upstream fixed the following regression:
https://github.com/sddm/sddm/issues/1316
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-11-17 09:39:12 UTC
Created attachment 671800 [details, diff]
sddm-0.19.0-pam-1.4-substack.patch

While toying with 0.19.0 I had to "fix" the pam-1.4 patch
Comment 5 Andreas Sturmlechner gentoo-dev 2020-11-17 09:40:44 UTC
Yup, we don't need yet another race condition in SDDM. A big update on the ebuild will be incoming soon, anyway, perhaps I should just make a PR with 0.19.0 while we wait for them to fix their stuff.
Comment 6 Andreas Sturmlechner gentoo-dev 2021-05-17 19:34:32 UTC
*** Bug 790713 has been marked as a duplicate of this bug. ***
Comment 7 Marco Scardovi (scardracs) 2021-07-12 14:20:55 UTC
Ping: any news?
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:25:29 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:34:02 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:41:55 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 18:05:58 UTC
Package list is empty or all packages have requested keywords.
Comment 12 Andreas Sturmlechner gentoo-dev 2022-02-03 16:46:20 UTC
*** Bug 832635 has been marked as a duplicate of this bug. ***
Comment 13 Larry the Git Cow gentoo-dev 2022-02-26 21:07:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4358362c18fef2411b0053d9556745e749d3afdd

commit 4358362c18fef2411b0053d9556745e749d3afdd
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-18 18:59:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-26 21:06:43 +0000

    x11-misc/sddm: Drop vulnerable 0.15.0
    
    Bug: https://bugs.gentoo.org/753104
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 profiles/package.mask               |  5 ---
 x11-misc/sddm/Manifest              |  1 -
 x11-misc/sddm/sddm-0.15.0-r2.ebuild | 63 -------------------------------------
 3 files changed, 69 deletions(-)
Comment 14 Andreas Sturmlechner gentoo-dev 2022-02-26 21:08:32 UTC
Cleanup done, kde proj out.
Comment 15 Andreas Sturmlechner gentoo-dev 2022-02-27 19:29:04 UTC
Actually not done yet.
Comment 16 Larry the Git Cow gentoo-dev 2022-04-01 14:48:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943445b50d918a2a5ac0712105e109973147eb6e

commit 943445b50d918a2a5ac0712105e109973147eb6e
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-03-27 19:42:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-04-01 14:47:07 +0000

    x11-misc/sddm: migrate to glep-81
    
    Also added tmpfiles handling and patch for CVE-2020-28049.
    
    Bug: https://bugs.gentoo.org/753104
    Closes: https://bugs.gentoo.org/802306
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../sddm/files/sddm-0.18.1-cve-2020-28049.patch    |  94 +++++++++++++++++
 x11-misc/sddm/files/sddm.tmpfiles                  |   1 +
 x11-misc/sddm/sddm-0.18.1-r6.ebuild                | 116 +++++++++++++++++++++
 3 files changed, 211 insertions(+)
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-01 15:11:57 UTC
Thanks!
Comment 18 Larry the Git Cow gentoo-dev 2022-04-02 12:38:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c2f2e12abcee705d727ecccbf9f6b6d07374710

commit 4c2f2e12abcee705d727ecccbf9f6b6d07374710
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-04-02 12:37:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-04-02 12:37:49 +0000

    x11-misc/sddm: Cleanup vulnerable 0.18.1-r5
    
    Bug: https://bugs.gentoo.org/753104
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 x11-misc/sddm/files/sddm-0.16.0-ck2-revert.patch |  20 ----
 x11-misc/sddm/files/sddm-0.18.0-Xsession.patch   |  24 -----
 x11-misc/sddm/sddm-0.18.1-r5.ebuild              | 111 -----------------------
 3 files changed, 155 deletions(-)
Comment 19 Andreas Sturmlechner gentoo-dev 2022-04-02 12:39:37 UTC
Cleanup done, kde proj out.
Comment 20 Larry the Git Cow gentoo-dev 2024-02-03 06:23:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=24849bc07aa8af43e4c5725512424f704a3d63a2

commit 24849bc07aa8af43e4c5725512424f704a3d63a2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-03 06:18:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-03 06:23:15 +0000

    [ GLSA 202402-02 ] SDDM: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/753104
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-02.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)