On 2016-01-23 06:50:51, Guido Günther wrote: > Hi Colin, > On Fri, Jan 15, 2016 at 02:01:44PM +0000, Colin Watson wrote: >> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: >> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: >> > > > I believe Yves-Alexis Perez is handing this. >> > > >> > > I figured Mike's mail is related to >> > > >> > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to >> > > trusted forwarding for cases when the X server disables the SECURITY >> > > extension >> > > >> > > not to CVE-2016-0777 CVE-2016-0778? >> > >> > We've not yet investigated the other, CVE-less vulnerabilities fixed by the >> > last OpenSSH release (whether for the current stables or for LTS). >> >> OpenSSH upstream decided not to fix the untrusted->trusted forwarding >> issue in 7.1p2 >> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html). >> I would recommend holding off on that until they've actually blessed a >> fix for real. > > I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie: > > * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from > xinit but we do so from Jessie on
I don't think this is accurate: Xsession.d$ git lg 35x11-common_xhost-local * 9b1d914 N debian/local/Xsession.d/35x11-common_xhost-local: add a new script to the default X session. It will give access to the running X server to the logged on user. This is useful for gdm3 which does not give access to $XAUTHORITY outside the session, but can also be of use for other display managers. Closes: #586685. (il y a 4 ans et 2 mois) <Josselin Mouette> $ git describe 9b1d914 xorg-1_7.6+9-1-g9b1d914 $ rmadison xorg debian: xorg | 1:7.5+8+squeeze1 | squeeze-security | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc xorg | 1:7.5+8+squeeze1 | squeeze | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc xorg | 1:7.6+8~bpo60+1 | squeeze-backports | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc xorg | 1:7.7+3~deb7u1 | wheezy | source, amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc xorg | 1:7.7+7 | jessie-kfreebsd | source, kfreebsd-amd64, kfreebsd-i386 xorg | 1:7.7+7 | jessie | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x xorg | 1:7.7+12 | stretch | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x xorg | 1:7.7+13 | sid | source, amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x i.e. this was introduced in 1:7.6+9-1, and so was shipped with wheezy as well. So even if we weren't vulnerable, that would be in squeeze only and we'll need to fix this for wheezy and above at the very least. I'll investigate if squeeze is really not vulnerable as well. a. -- People arbitrarily, or as a matter of taste, assigning numerical values to non-numerical things. And then they pretend that they haven't just made the numbers up, which they have. Economics is like astrology in that sense, except that economics serves to justify the current power structure, and so it has a lot of fervent believers among the powerful. - Kim Stanley Robinson, Red Mars