Package: openssh-server When logging in with X11 forwarding enabled, $DISPLAY environment variable may outlive the forwarding socket it points at. As a result, X11 clients may eventually open a socket controlled by another user and display on the wrong screen with potential security implications.
To reproduce: $ ssh -X importantu...@somemachine somemachine$ echo $DISPLAY localhost:10.0 somemachine$ screen -S longlasting -d -m somemachine$ logout $ Xserver :1 $ export DISPLAY=:1 $ xauth + # Make the target X server accept any clients $ ssh -R 6010:localhost:6001 p...@somemachine sleep 10d Later, the important user or their long-running process launches some X client. It shows up on the display controlled by peon: $ ssh -X importantu...@somemachine $ echo $DISPLAY localhost:23.0 $ screen -r longlasting $ echo $DISPLAY localhost:10.0 $ xterm Potential fixes: * sshd should use unix domain sockets instead of TCP, and should leave the socket file behind when the user logs out to prevent reuse. * X11 clients should authenticate the server in addition to the other way around (maybe requires fundamental changes in xlib) -- Brian Ristuccia br...@ristuccia.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
