lightdm leaks FDs to child processes

Bug #927060 reported by Yves-Alexis Perez on 2012-02-05
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
High
Robert Ancell
lightdm (Debian)
Fix Released
Unknown
lightdm (Ubuntu)
High
Robert Ancell
Oneiric
High
Marc Deslauriers
Precise
High
Robert Ancell

Bug Description

 affects lightdm
 affects debian
 security yes
 summary "lightdm leaks FDs to child processes"
 done

tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
>
> Dear Maintainer,
>
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
>
> For example, running ls -l /proc/self/fd from a terminal in X yields
>
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6
> -> /var/log/lightdm/lightdm.log
>
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
>
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:[eventfd]
> lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 6
> -> /var/log/lightdm/lightdm.log
> lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:[eventfd]
> lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:[eventfd]
>
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
>
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment.

Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.

I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.

Regards,
--
Yves-Alexis

affects: debian → lightdm (Debian)
Changed in lightdm (Debian):
importance: Undecided → Unknown
status: New → Unknown
Changed in lightdm:
status: New → Triaged
importance: Undecided → High
Changed in lightdm (Debian):
status: Unknown → Confirmed
Yves-Alexis Perez (corsac) wrote :

Any news on this?

Robert Ancell (robert-ancell) wrote :

No change yet...

Changed in lightdm:
assignee: nobody → Robert Ancell (robert-ancell)
status: Triaged → In Progress
Changed in lightdm (Ubuntu):
status: New → In Progress
importance: Undecided → High
Robert Ancell (robert-ancell) wrote :
Robert Ancell (robert-ancell) wrote :
Robert Ancell (robert-ancell) wrote :

I've identified and fixed the leaks for both the trunk and 1.0. These patches are not pushed anywhere except this bug and when committed will be immediately released in lightdm 1.0.8 and 1.1.4. Both patches contain regression tests to check no unknown file descriptors are passed to a session after a login.

The leaking file descriptors (7) were:
- The lightdm daemon log (write)
- The signal pipe used in the daemon to send signal notifications into the GLib main loop (read/write) - could potentially stop the daemon by simulating a SIGTERM.
- Two pipes used by the greeter to communicate with the daemon (both read/write). This pipe should be unused by this point (it would have been used to negotiate the session) but I haven't investigated if you could do any damage with it at this point.

These patches also need to be updated to check what happens when an XDMCP/VNC server is running as those fds might also leak.

I'm asking the Canonical security team to help with the timing of these releases; Yves-Alexis, Guido, let me know what you guys need there too.

Robert Ancell (robert-ancell) wrote :

Updated patch with regression tests that confirm XDMCP and VNC sessions don't have the socket file descriptors leaked to them.

Yves-Alexis Perez (corsac) wrote :

I'm ok for a release (as it's not in stable it's ok to push a new upstream release), I can upload a 1.0.8 to Debian today.

Guido Berhoerster (gber) wrote :

That'd be ok from my side as well, if you plan to delay the release please let me know the date.

Yves-Alexis Perez (corsac) wrote :

Any news for a release? (I can prepare packages with patches since the bug is public anyway, but if you prefer coordinated release it'd be nice to do it faster than slower :)

Yves-Alexis Perez (corsac) wrote :

Ping?

Robert Ancell (robert-ancell) wrote :

OK, security team says good to go. I've pushed these changes the the lightdm bzr branches and you guys can release whenever you like.

Changed in lightdm (Ubuntu Precise):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
importance: Undecided → High
Changed in lightdm:
status: In Progress → Fix Released
Guido Berhoerster (gber) wrote :

Could you make this bug publicly accessible and obtain a CVE for it?

Martin Pitt (pitti) wrote :

The Debian bug is public, so I see little reason to keep this private. Making public.

visibility: private → public
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.4

---------------
lightdm (1.0.6-0ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: file descriptor leak to child processes (LP: #927060)
    - debian/patches/12_dont-leak-fds.patch: clean up file descriptors in
      src/*.c, add tests to tests/*.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Sun, 04 Mar 2012 19:29:04 -0500

Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.1.6-0ubuntu1

---------------
lightdm (1.1.6-0ubuntu1) precise; urgency=low

  * Upload the new version to Ubuntu
  * Reshuffle a bit the vcs to use merge upstream correctly

  [ Robert Ancell ]
  * New upstream release:
    - Fix session wrapper working the same as it did in 1.1.3 (lp: #944736)
    - Stop file descriptors leaking into the session processes (lp: #927060)

  [ Martin Pitt ]
  * debian/control: Fix liblightdm-gobject-1-doc architecture to "all".
 -- Sebastien Bacher <email address hidden> Tue, 06 Mar 2012 13:45:29 +0100

Changed in lightdm (Ubuntu Precise):
status: In Progress → Fix Released
Changed in lightdm (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.