On Mon, May 09, 2011 at 08:57:24AM +0200, Patrick Matth?i wrote: || Am 08.05.2011 23:58, schrieb Vincent Zweije: || >On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || > || >|| Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || > || >||> revoke) || >||> if [ `pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` ]; then || >||> user=`pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` || >||> su $user -c "xauth -f $3 remove $2" || exit -1 || >||> else || >||> xauth -f $3 remove $2 || exit -1 || >|| || >|| And strictly speaking, the same twice here, but the secret is being || >|| removed so exploiting its knowledge would be very hard though not || >|| theoretically impossible. Anyway, if your fixing the grant case, do the || >|| revoke case at the same time so they use the same method. It's just good || >|| software engineering. || > || >I think I had my eyes crossed here. No secret cookie is being mentioned, || >only the display name which is not secret. || Do you want to say, that the security part of this bug could be closed?
Sorry, no, only that the "revoke" part has no security problem. The "grant" part still does. || Sorry yes I mean 11-4, not 10-4 :) Right. Well, if the offending code is gone in 11-4 that would be the end of the problem, but even without checking I suspect it's still there. Ciao. Vincent. -- Vincent Zweije <vinc...@zweije.nl> | "If you're flamed in a group you <http://www.xs4all.nl/~zweije/> | don't read, does anybody get burnt?" [Xhost should be taken out and shot] | -- Paul Tomblin on a.s.r.
signature.asc
Description: Digital signature