Hi, Insecure xauth usage has lead to a few security bugs recently fixed in Debian. Man page warnings may guide users/developers toward more secure usages. See attached patch for a possible solution.
This is also debian bug #635109: http://bugs.debian.org/635109. Please cc me on replies as I'm not subscribed to this list. Best wishes, Mike
diff -u xauth-1.0.6/debian/changelog xauth-1.0.6/debian/changelog --- xauth-1.0.6/debian/changelog +++ xauth-1.0.6/debian/changelog @@ -1,3 +1,9 @@ +xauth (1:1.0.6-1.1) unstable; urgency=low + + * Add insecure cookie handling warnings to xauth man page. + + -- Michael Gilbert <[email protected]> Fri, 22 Jul 2011 14:48:17 -0400 + xauth (1:1.0.6-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- xauth-1.0.6.orig/man/xauth.man +++ xauth-1.0.6/man/xauth.man @@ -90,6 +90,10 @@ A protocol name consisting of just a single period is treated as an abbreviation for \fIMIT-MAGIC-COOKIE-1\fP. +WARNING: This usage is considered insecure since the secret magic cookie +will be displayed in command histories and for example the output of ps. +One should use the "merge" command (as described below) instead. Pay +attention to it's warning as well. .TP 8 .B "generate \fIdisplayname protocolname\fP \fR[\fPtrusted|untrusted\fR]\fP" .B \fR[\fPtimeout \fIseconds\fP\fR]\fP \fR[\fPgroup \fIgroup-id\fP\fR]\fP \fR[\fBdata \fIhexdata\fR] @@ -155,6 +159,11 @@ the \fInmerge\fP command is used, the numeric format given in the description of the \fIextract\fP command is used. If a filename consists of just a single dash, the standard input will be read if it hasn't been read before. + +WARNING: Be careful with the single dash version as depending on the +command chain (for example a combination using sudo), the secret key +could be exposed to prying eyes in command histories and for example +in the output of ps. .TP 8 .B "remove \fIdisplayname\fR..." Authorization entries matching the specified displays are removed from the
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
