[edgy] fd leak in Xinput module

Bug #66776 reported by Kees Cook on 2006-10-18
254
Affects Status Importance Assigned to Milestone
X.Org X server
Fix Released
Medium
libx11 (Ubuntu)
High
Kees Cook

Bug Description

To be fixed post-RC in edgy, libX11 leaks an env-controlled fd, potentially with elevated privs.

See line 620:
http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=blob;hb=abda4d223e9cce9ac6e7b5d82a5680d9a502e52a;f=modules/im/ximcp/imLcIm.c

CVE References

Created an attachment (id=7459)
kill double open

Kees Cook (kees) wrote :

To be fixed post-RC in edgy, libX11 leaks an env-controlled fd, potentially with elevated privs.

See line 620:
http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=blob;hb=abda4d223e9cce9ac6e7b5d82a5680d9a502e52a;f=modules/im/ximcp/imLcIm.c

Kees Cook (kees) wrote :
Kees Cook (kees) on 2006-10-18
Changed in libx11:
importance: Undecided → High
status: Unconfirmed → Fix Committed

Fixed with git commit 686bb8b35acf6cecae80fe89b2b5853f5816ce19.

Should this be fixed in 7.1 as well, or in the stable branch of libX11? Or just
a new release of libX11?

So far xterm seems to be the only problematic app (setgid), but with its normal
gid no security relevant files can be accessed.

Martin Pitt (pitti) wrote :

CVE-2006-5397 (hm, Malone's ability to attach a CVE number was recently broken, as it seems).

Changed in xorg-server:
status: Unknown → Confirmed
Kees Cook (kees) on 2006-10-19
Changed in libx11:
assignee: nobody → keescook
Kees Cook (kees) on 2006-10-19
Changed in libx11:
status: Fix Committed → Fix Released

I have the impression that the vulnerable code was added after 7.1, in a commit
from June 13.
Only libX11 1.0.2 and 1.0.3 are vulnerable. So I guess the upcoming 1.1 release
is enough.

BTW, this has been assigned CVE-2006-5397 by mitre.

marking as fixed, as we're shipping 1.1 with 7.2

Changed in xorg-server:
status: Confirmed → Fix Released
Changed in xorg-server:
importance: Unknown → Medium
Changed in xorg-server:
importance: Medium → Unknown
Changed in xorg-server:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.