Am 06.05.2011 15:10, schrieb Giuseppe Iuculano: > Package: fglrx-atieventsd > Version: 1:11-3-1 > Severity: grave > Tags: security > > > > Hi Vincent, > > thanks for contacting us, fglrx-driver is non-free, but I'm opening a > new Debian bug against it. > > Cheers, > Giuseppe. > > On 05/04/2011 11:12 AM, Vincent Zweije wrote: >> Package: fglrx-atieventsd >> Version: 1:11-3-1 >> Severity: grave >> Tags: security >> >> After having logged on and off on a gnome testing system, I can see the >> xauth X authentication cookie in the process list, even as another user: >> >> nobody@arrow:/$ ps axlO+T | grep ati[e]vnt >> 0 0 32530 23664 20 0 3264 804 ? S ? 0:00 /bin/sh >> /etc/ati/authatieventsd.sh grant :0 /tmp/atievntX.aWEZgM >> 4 1000 32548 32530 20 0 4296 628 ? S ? 0:00 su >> vincent -c xauth -f /tmp/atievntX.aWEZgM add :0 . >> 76662e1da9b24d7ce5de363900837c18 >> 0 1000 32555 32548 20 0 2936 324 ? S ? 0:00 xauth >> -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18 >> nobody@arrow:/$ >> >> Such a cookie allows in principle unlimited access to an X server, >> with possibilities for, for instance, keystroke snooping. >> >> Although the relevant X session is already closed in this example, this >> information must also have been present when the session was still active. >> >> Xauth allows for such cookies to be read from stdin instead of from >> the command line. There is no justification for passing it on the >> command line.
Hello, I am a bit limited in my time, but I tried to reproduce it with fglrx 10-4 from unstable and kdm as login manager, but I were not suc. * grepping for it => false * logging in and then grepping for it => false * after that shutting down kdm => false Could you please retest it with 10-4? Did you installed the driver from another location (amd website e.g.) before? -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */
signature.asc
Description: OpenPGP digital signature