Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
Am 18.07.2011 01:07, schrieb Michael Gilbert: Michael Gilbert wrote: actually, i just realized that isn't sufficient. can you try this: --- fglrx-driver-11-6.orig/common/etc/ati/authatieventsd.sh +++ fglrx-driver-11-6/common/etc/ati/authatieventsd.sh @@ -95,17 +95,16 @@ which xauth /dev/null || exit -1 case $1 in grant) GetServerAuthFile $2 || exit -1 -DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print correction: don't remove this line; it obviously messes up the subsequent logic. the rest of the patch should work (although untested since i personally don't use atieventsd). mike ___ Pkg-fglrx-devel mailing list pkg-fglrx-de...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-fglrx-devel could you commit it? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Mon, Jul 18, 2011 at 2:48 AM, Patrick Matthäi wrote: could you commit it? committed. submitter, please test when you have a chance: svn://svn.debian.org/svn/pkg-fglrx/fglrx-driver/trunk also for the record, cve id requested: http://www.openwall.com/lists/oss-security/2011/07/19/1 mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matth?i wrote: || It looks like those issue were introduced by Debian years ago with the || patch 03-authatieventsd.sh.diff and I can't say for what it is realy || there (it already was available @ fglrx, where I was not the maintainer). || Could you please deapply it and look if everything is right? Finally got around to looking at it. Patch 03-* did not introduce the bad code, it just modified it. It contains the following part: -if [ -n $DISP_AUTH_KEY ]; then -xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 -else -exit -1 Which means the original code already passes $DISP_AUTH_KEY on the command line. Indeed, upstream source contains this snippet: DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` if [ -n $DISP_AUTH_KEY ]; then xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 else exit -1 fi which should probably be something like: DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` if [ -n $DISP_AUTH_KEY ]; then echo $2 . $DISP_AUTH_KEY | xauth -f $3 merge - || exit -1 else exit -1 fi under the assumption that echo runs as a shell builtin, so does not use execve, so its command line arguments cannot be snarfed from outside. However, better would be to put everything inside the pipeline and never read the cookie into a variable at all, saving an if as well (completely untested): xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | \ awk '{printf %s %s %s\n,'$2',$2,$3}' | xauth -f $3 merge - exit -1 You'll have to merge this with patch 03-*. Ciao.Vincent. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
I have attached the diff, I had comitted to the subversion repository. Am 04.07.2011 15:23, schrieb Vincent Zweije: On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matth?i wrote: || It looks like those issue were introduced by Debian years ago with the || patch 03-authatieventsd.sh.diff and I can't say for what it is realy || there (it already was available @ fglrx, where I was not the maintainer). || Could you please deapply it and look if everything is right? Finally got around to looking at it. Patch 03-* did not introduce the bad code, it just modified it. It contains the following part: -if [ -n $DISP_AUTH_KEY ]; then -xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 -else -exit -1 Which means the original code already passes $DISP_AUTH_KEY on the command line. Indeed, upstream source contains this snippet: DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` if [ -n $DISP_AUTH_KEY ]; then xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 else exit -1 fi which should probably be something like: DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` if [ -n $DISP_AUTH_KEY ]; then echo $2 . $DISP_AUTH_KEY | xauth -f $3 merge - || exit -1 else exit -1 fi under the assumption that echo runs as a shell builtin, so does not use execve, so its command line arguments cannot be snarfed from outside. However, better would be to put everything inside the pipeline and never read the cookie into a variable at all, saving an if as well (completely untested): xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | \ awk '{printf %s %s %s\n,'$2',$2,$3}' | xauth -f $3 merge - exit -1 You'll have to merge this with patch 03-*. Ciao.Vincent. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org */ --- tags/11-4-2/debian/patches/03-authatieventsd.sh.diff 2011-05-29 09:53:13.571962952 +0200 +++ trunk/debian/patches/03-authatieventsd.sh.diff 2011-07-04 20:16:49.005207455 +0200 @@ -1,8 +1,8 @@ # Make the authatieventsd.sh working on Debian. -diff -Naur fglrx-driver-10-4.orig//common/etc/ati/authatieventsd.sh fglrx-driver-10-4/common/etc/ati/authatieventsd.sh fglrx-driver-10-4.orig//common/etc/ati/authatieventsd.sh 2010-04-15 18:44:15.0 +0200 -+++ fglrx-driver-10-4/common/etc/ati/authatieventsd.sh 2010-04-29 19:16:43.0 +0200 +diff -Naur fglrx-driver-11-6.orig/common/etc/ati/authatieventsd.sh fglrx-driver-11-6/common/etc/ati/authatieventsd.sh +--- fglrx-driver-11-6.orig/common/etc/ati/authatieventsd.sh 2011-06-01 23:20:56.0 +0200 fglrx-driver-11-6/common/etc/ati/authatieventsd.sh 2011-07-04 20:13:52.841207585 +0200 @@ -42,6 +42,16 @@ return 0 fi @@ -46,7 +46,7 @@ + if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then + user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` + if [ -n $DISP_AUTH_KEY ]; then -+ su $user -c xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 ++ su $user -c echo \$2 . $DISP_AUTH_KEY\ | xauth -f $3 merge - || exit -1 + else + exit -1 + fi
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Mon, Jul 04, 2011 at 09:01:05PM +0200, Patrick Matth?i wrote: || I have attached the diff, I had comitted to the subversion repository. || || Am 04.07.2011 15:23, schrieb Vincent Zweije: || Indeed, upstream source contains this snippet: || || DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` || if [ -n $DISP_AUTH_KEY ]; then || xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 || else || exit -1 || fi || || which should probably be something like: || || DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` || if [ -n $DISP_AUTH_KEY ]; then || echo $2 . $DISP_AUTH_KEY | xauth -f $3 merge - || exit -1 || else || exit -1 || fi || || under the assumption that echo runs as a shell builtin, so does not use || execve, so its command line arguments cannot be snarfed from outside. || || However, better would be to put everything inside the pipeline and || never read the cookie into a variable at all, saving an if as well || (completely untested): || || xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | \ || awk '{printf %s %s %s\n,'$2',$2,$3}' | xauth -f $3 merge - || exit -1 || --- tags/11-4-2/debian/patches/03-authatieventsd.sh.diff2011-05-29 09:53:13.571962952 +0200 || +++ trunk/debian/patches/03-authatieventsd.sh.diff 2011-07-04 20:16:49.005207455 +0200 || @@ -1,8 +1,8 @@ || # Make the authatieventsd.sh working on Debian. || || -diff -Naur fglrx-driver-10-4.orig//common/etc/ati/authatieventsd.sh fglrx-driver-10-4/common/etc/ati/authatieventsd.sh || fglrx-driver-10-4.orig//common/etc/ati/authatieventsd.sh 2010-04-15 18:44:15.0 +0200 || -+++ fglrx-driver-10-4/common/etc/ati/authatieventsd.sh 2010-04-29 19:16:43.0 +0200 || +diff -Naur fglrx-driver-11-6.orig/common/etc/ati/authatieventsd.sh fglrx-driver-11-6/common/etc/ati/authatieventsd.sh || +--- fglrx-driver-11-6.orig/common/etc/ati/authatieventsd.sh 2011-06-01 23:20:56.0 +0200 || fglrx-driver-11-6/common/etc/ati/authatieventsd.sh 2011-07-04 20:13:52.841207585 +0200 || @@ -42,6 +42,16 @@ ||return 0 ||fi || @@ -46,7 +46,7 @@ || + if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || + user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || + if [ -n $DISP_AUTH_KEY ]; then || -+ su $user -c xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 || ++ su $user -c echo \$2 . $DISP_AUTH_KEY\ | xauth -f $3 merge - || exit -1 || + else || + exit -1 || + fi Unfortunately, no. The cookie is no longer passed on the command line to xauth, but it still passed to su. Try something like this (still needs testing): echo $2 . $DISP_AUTH_KEY | su $user -c xauth -f $3 merge - || exit -1 Ciao. Vincent. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Sat, May 28, 2011 at 11:37:31AM +0200, Moritz Muehlenhoff wrote: || On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matthäi wrote: || It looks like those issue were introduced by Debian years ago with the || patch 03-authatieventsd.sh.diff and I can't say for what it is realy || there (it already was available @ fglrx, where I was not the maintainer). || Could you please deapply it and look if everything is right? || || Vincent, did you test it? No(t yet), sorry. My computers are normally disk space starved and my personal life time-starved. Rebuilding is a little undertaking for which I need some energy. Ciao. Vincent. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matthäi wrote: Am 09.05.2011 10:01, schrieb Vincent Zweije: On Mon, May 09, 2011 at 08:57:24AM +0200, Patrick Matth?i wrote: || Am 08.05.2011 23:58, schrieb Vincent Zweije: || On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || || || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || || || revoke) || || if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || ||user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || ||su $user -c xauth -f $3 remove $2 || exit -1 || || else || ||xauth -f $3 remove $2 || exit -1 || || || || And strictly speaking, the same twice here, but the secret is being || || removed so exploiting its knowledge would be very hard though not || || theoretically impossible. Anyway, if your fixing the grant case, do the || || revoke case at the same time so they use the same method. It's just good || || software engineering. || || I think I had my eyes crossed here. No secret cookie is being mentioned, || only the display name which is not secret. || Do you want to say, that the security part of this bug could be closed? Sorry, no, only that the revoke part has no security problem. The grant part still does. || Sorry yes I mean 11-4, not 10-4 :) Right. Well, if the offending code is gone in 11-4 that would be the end of the problem, but even without checking I suspect it's still there. Ciao.Vincent. It looks like those issue were introduced by Debian years ago with the patch 03-authatieventsd.sh.diff and I can't say for what it is realy there (it already was available @ fglrx, where I was not the maintainer). Could you please deapply it and look if everything is right? Vincent, did you test it? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
-BEGIN PGP PUBLIC KEY BLOCK- Version: PGPfreeware 5.5.2 for non-commercial use http://www.pgp.com mQGiBEyZCgcRBADicNN5EuaC9vybee8ID+GrhLWVz8vQVCPPgvwfCt4d+LybJNui nhJ3IzAnjBtBmyevTEfzSwzbhNwBb5UjrIVQ3G6e9YIK1UgHW6lkgop60kG0RazW 8VldcrOU8EJyPzLomif2pFRlVTwv/MkCiko2qb4s7i+OJwn+7un1YaOKawCg/wor fXcn+LgUL8rJcVPrAaDI/2UD/0pMath+t7j1brV/McuqBoD++P/1YlJx48R7qY1Q ilOd2Y9DwZX6vT+LgCZCS7Af7b3596xnQd5JmNOAdrCkUt7ca/XH8zYJ8r2VLsV6 BMtgalB1ddKMdU91inrsQi7zbwl7pH82a8MPKD7TKRGAnoMjijKELMuS6+LDvMEp 3KvMA/0aK+uagGp0HBDePMTycqjrXISFdAeBXVlvjV8C3zJzXRVkbccvdPDBLVk5 jzxsLL03aNQARomtKOjvovTrrydtIlDYmzReYrc3gB3RNJ549tQW7ocZm5wx06PX 88y/57zmKHyvWEr/cOPKYWlTHvPHOVidKIbqOfm8gbTl78kLD7QdU2VyZ2V5XyA8 d2VibWFzdGVyMTk4N0B5YS5ydT6JAEsEEBECAAsFAkyZCgcECwMCAQAKCRChSJ2X p/u4SyvZAJ4gh1JBig0FQJk8XBLx/cXI8F9swwCffTut7Y4S1IZoSMZMQFwgmZf0 7yi0IFNlcmdleV8gPHdlYm1hc3RlcjE5ODdAbmFyb2QucnU+iQBLBBARAgALBQJM mQpsBAsDAgEACgkQoUidl6f7uEsDgQCg6qoWs6R86DmkaxwjoEEaghl7KvcAnj+8 /7Ex9trQMIydUt25KTXdjHo8tCFTZXJnZXlfIDx3ZWJtYXN0ZXIxOTg3QHlhbmRl eC5ydT6JAEsEEBECAAsFAkyZCscECwMCAQAKCRChSJ2Xp/u4S4nxAJ9/yj/ZaKQv nBWWKoSW+OJ3+iuX1QCfU0utLqlGc+/u5Aqy6VTm49H618i5BA0ETJkKBxAQAPkY oH5aBmF6Q5CV3AVsh4bsYezNRR8O2OCjecbJ3HoLrOQ/40aUtjBKU9d8AhZIgLUV 5SmZqZ8HdNP/46HFliBOmGW42A3uEF2rthccUdhQyiJXQym+lehWKzh4XAvb+ExN 1eOqRsz7zhfoKp0UYeOEqU/Rg4Soebbvj6dDRgjGzB13VyQ4SuLE8OiOE2eXTpIT Yfbb6yUOF/32mPfIfHmwch04dfv2wXPEgxEmK0Ngw+Po1gr9oSgmC66prrNlD6IA UwGgfNaroxIe+g8qzh90hE/K8xfzpEDp19J3tkItAjbBJstoXp18mAkKjX4t7eRd efXUkk+bGI78KqdLfDL2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1aj FOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZ zf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI /VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjT NP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AK UJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XrPdYXAAICD/95liHyrXWPPiTV5S3H CJyPlkO+3DcoWef0SyoNd0XnV5vOx4VKoJklhmATlxZ6z0fZFoGFg+AkBwcpSVqX nV32ISakxqpiL1Bo/iRyz+qwjFdP/P1OWlM/5TRCbT8x5OWWySoq/J0eJ51dlO7B uvxkeDdjeYs5Sb735Heckp6hdsJ23qfTihlyUzhKqDSKe9mpwIHjL3CWiFcgTHMl wZcqarVvE+0EJg9Mb1tBjzU1eol6ZrScuxoDz0/DPfVeqhiG2l+kpSKXsFngydx7 AA9tUJ6UCfToXL5omspiCM1EEr3siQMxOj5YiYKE6u6JXPmPNq6AcVnyzW+jCz7+ 2qNcafekajzqaTU8jjX1AGRIYIRdy9qyhD6aQCCMpvXRfIYKGiSFxanIj1xluG0x Nz6i9fUVyzu5qOJtWWao9Jl8j3ebLpKIbRf7TGWQNchay2Re5B8x2PfJnPL3NspJ qCBlUX3QPAQfCo6esDOn6OECsF6ehKsVR74VeenrmqAUJPzm+Ejrb9tP/lLdGMzn 7YwpB3IGF4LqbIz38LVXrk5V+jZ3Y8KY9DNhygyYaWfM37Cf9GvalZna7BaUuweh RSgnXI9tAzUJBdeD+ATrIPDkTgR3PhiMmgkVisip55m24mWFFdTDTdKXBEOgpv/V YnK0rQK1lCejVofV8iljqFmweokARgQYEQIABgUCTJkKBwAKCRChSJ2Xp/u4S3Im AKDBmABdu9YNVe82qSuM+Z7oBnZo7ACg4nZlcguyQSMXVUOy45paVL7JlpU= =GNXC -END PGP PUBLIC KEY BLOCK- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
Am 09.05.2011 10:01, schrieb Vincent Zweije: On Mon, May 09, 2011 at 08:57:24AM +0200, Patrick Matth?i wrote: || Am 08.05.2011 23:58, schrieb Vincent Zweije: || On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || || || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || || || revoke) || || if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || || user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || || su $user -c xauth -f $3 remove $2 || exit -1 || || else || || xauth -f $3 remove $2 || exit -1 || || || || And strictly speaking, the same twice here, but the secret is being || || removed so exploiting its knowledge would be very hard though not || || theoretically impossible. Anyway, if your fixing the grant case, do the || || revoke case at the same time so they use the same method. It's just good || || software engineering. || || I think I had my eyes crossed here. No secret cookie is being mentioned, || only the display name which is not secret. || Do you want to say, that the security part of this bug could be closed? Sorry, no, only that the revoke part has no security problem. The grant part still does. || Sorry yes I mean 11-4, not 10-4 :) Right. Well, if the offending code is gone in 11-4 that would be the end of the problem, but even without checking I suspect it's still there. Ciao.Vincent. It looks like those issue were introduced by Debian years ago with the patch 03-authatieventsd.sh.diff and I can't say for what it is realy there (it already was available @ fglrx, where I was not the maintainer). Could you please deapply it and look if everything is right? -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */ signature.asc Description: OpenPGP digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
Am 08.05.2011 23:58, schrieb Vincent Zweije: On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || revoke) || if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || su $user -c xauth -f $3 remove $2 || exit -1 || else || xauth -f $3 remove $2 || exit -1 || || And strictly speaking, the same twice here, but the secret is being || removed so exploiting its knowledge would be very hard though not || theoretically impossible. Anyway, if your fixing the grant case, do the || revoke case at the same time so they use the same method. It's just good || software engineering. I think I had my eyes crossed here. No secret cookie is being mentioned, only the display name which is not secret. Do you want to say, that the security part of this bug could be closed? Sorry yes I mean 11-4, not 10-4 :) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Mon, May 09, 2011 at 08:57:24AM +0200, Patrick Matth?i wrote: || Am 08.05.2011 23:58, schrieb Vincent Zweije: || On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || || || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || || || revoke) || || if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || ||user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || ||su $user -c xauth -f $3 remove $2 || exit -1 || || else || ||xauth -f $3 remove $2 || exit -1 || || || || And strictly speaking, the same twice here, but the secret is being || || removed so exploiting its knowledge would be very hard though not || || theoretically impossible. Anyway, if your fixing the grant case, do the || || revoke case at the same time so they use the same method. It's just good || || software engineering. || || I think I had my eyes crossed here. No secret cookie is being mentioned, || only the display name which is not secret. || Do you want to say, that the security part of this bug could be closed? Sorry, no, only that the revoke part has no security problem. The grant part still does. || Sorry yes I mean 11-4, not 10-4 :) Right. Well, if the offending code is gone in 11-4 that would be the end of the problem, but even without checking I suspect it's still there. Ciao.Vincent. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
Am 06.05.2011 15:10, schrieb Giuseppe Iuculano: Package: fglrx-atieventsd Version: 1:11-3-1 Severity: grave Tags: security Hi Vincent, thanks for contacting us, fglrx-driver is non-free, but I'm opening a new Debian bug against it. Cheers, Giuseppe. On 05/04/2011 11:12 AM, Vincent Zweije wrote: Package: fglrx-atieventsd Version: 1:11-3-1 Severity: grave Tags: security After having logged on and off on a gnome testing system, I can see the xauth X authentication cookie in the process list, even as another user: nobody@arrow:/$ ps axlO+T | grep ati[e]vnt 0 0 32530 23664 20 0 3264 804 ? S? 0:00 /bin/sh /etc/ati/authatieventsd.sh grant :0 /tmp/atievntX.aWEZgM 4 1000 32548 32530 20 0 4296 628 ? S? 0:00 su vincent -c xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18 0 1000 32555 32548 20 0 2936 324 ? S? 0:00 xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18 nobody@arrow:/$ Such a cookie allows in principle unlimited access to an X server, with possibilities for, for instance, keystroke snooping. Although the relevant X session is already closed in this example, this information must also have been present when the session was still active. Xauth allows for such cookies to be read from stdin instead of from the command line. There is no justification for passing it on the command line. Hello, I am a bit limited in my time, but I tried to reproduce it with fglrx 10-4 from unstable and kdm as login manager, but I were not suc. * grepping for it = false * logging in and then grepping for it = false * after that shutting down kdm = false Could you please retest it with 10-4? Did you installed the driver from another location (amd website e.g.) before? -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */ signature.asc Description: OpenPGP digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: || revoke) || if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then || user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` || su $user -c xauth -f $3 remove $2 || exit -1 || else || xauth -f $3 remove $2 || exit -1 || || And strictly speaking, the same twice here, but the secret is being || removed so exploiting its knowledge would be very hard though not || theoretically impossible. Anyway, if your fixing the grant case, do the || revoke case at the same time so they use the same method. It's just good || software engineering. I think I had my eyes crossed here. No secret cookie is being mentioned, only the display name which is not secret. Ciao. Vincent. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature
Bug#625868: [Pkg-fglrx-devel] Bug#625868: auth event shows secret xauth cookie on command line
On Sun, May 08, 2011 at 10:06:08PM +0200, Patrick Matth?i wrote: || Am 06.05.2011 15:10, schrieb Giuseppe Iuculano: || On 05/04/2011 11:12 AM, Vincent Zweije wrote: || nobody@arrow:/$ ps axlO+T | grep ati[e]vnt || 0 0 32530 23664 20 0 3264 804 ? S? 0:00 /bin/sh /etc/ati/authatieventsd.sh grant :0 /tmp/atievntX.aWEZgM || 4 1000 32548 32530 20 0 4296 628 ? S? 0:00 su vincent -c xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18 || 0 1000 32555 32548 20 0 2936 324 ? S? 0:00 xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18 || nobody@arrow:/$ || I am a bit limited in my time, but I tried to reproduce it with fglrx || 10-4 from unstable and kdm as login manager, but I were not suc. || * grepping for it = false || * logging in and then grepping for it = false || * after that shutting down kdm = false Would that be 11-4, instead of 10-4? I'd suspect that for some unknown reason, xauth process 32555 above hangs, and that that is still there to see. Normally xauth is a short lived process and it would not show up in a process listing unless you timed it very precisely (which is, by the way, another mitigating factor re security). Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: case $1 in grant) GetServerAuthFile $2 || exit -1 DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'` if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` if [ -n $DISP_AUTH_KEY ]; then su $user -c xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 The $DISP_AUTH_KEY here puts the secret cookie on a command line. You just should not do this. Write it to a temp file instead of catching it in the DISP_AUTH_KEY variable, then have the su-xauth command read it from there. Even better would be to use pipes only, but that may require quite a bit of shell hackery if doable at all. For xauth scripting tasks it ought to be possible though. As a basic rule, catching the cookie in a variable is useless because the only way to use it is to put it on the command line for others to see (or export it to the environment, but that would be worse even.) else exit -1 fi else if [ -n $DISP_AUTH_KEY ]; then xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1 Same here. else exit -1 fi fi ;; revoke) if [ `pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` ]; then user=`pinky -fs | awk '{ if ($3 == '$2' || $(NF) == '$2' ) { print $1; exit; } }'` su $user -c xauth -f $3 remove $2 || exit -1 else xauth -f $3 remove $2 || exit -1 And strictly speaking, the same twice here, but the secret is being removed so exploiting its knowledge would be very hard though not theoretically impossible. Anyway, if your fixing the grant case, do the revoke case at the same time so they use the same method. It's just good software engineering. fi ;; *) exit -1 ;; esac exit 0 || Could you please retest it with 10-4? Did you installed the driver from || another location (amd website e.g.) before? I have the following apt package sources: $apt-cache policy fglrx-atieventsd fglrx-atieventsd: Installed: 1:11-3-1 Candidate: 1:11-3-1 Version table: 1:11-4-2 0 650 http://ftp.nl.debian.org/debian/ unstable/non-free i386 Packages *** 1:11-3-1 0 700 http://ftp.nl.debian.org/debian/ testing/non-free i386 Packages 100 /var/lib/dpkg/status 1:10-9-3 0 600 http://ftp.nl.debian.org/debian/ stable/non-free i386 Packages $ So, not installed from any other location. -- Vincent Zweije vinc...@zweije.nl | If you're flamed in a group you http://www.xs4all.nl/~zweije/ | don't read, does anybody get burnt? [Xhost should be taken out and shot] |-- Paul Tomblin on a.s.r. signature.asc Description: Digital signature