lightdm leaks FDs to child processes
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Light Display Manager |
High
|
Robert Ancell | ||
| | lightdm (Debian) |
Fix Released
|
Unknown
|
||
| | lightdm (Ubuntu) |
High
|
Robert Ancell | ||
| | Oneiric |
High
|
Marc Deslauriers | ||
| | Precise |
High
|
Robert Ancell | ||
Bug Description
affects lightdm
affects debian
security yes
summary "lightdm leaks FDs to child processes"
done
tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
>
> Dear Maintainer,
>
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
>
> For example, running ls -l /proc/self/fd from a terminal in X yields
>
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6
> -> /var/log/
>
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
>
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:
> lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 6
> -> /var/log/
> lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:
> lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:
>
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
>
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment.
Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.
I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.
Regards,
--
Yves-Alexis
| affects: | debian → lightdm (Debian) |
| Changed in lightdm (Debian): | |
| importance: | Undecided → Unknown |
| status: | New → Unknown |
| Changed in lightdm: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in lightdm (Debian): | |
| status: | Unknown → Confirmed |
| Yves-Alexis Perez (corsac) wrote : | #1 |
| Robert Ancell (robert-ancell) wrote : | #2 |
No change yet...
| Changed in lightdm: | |
| assignee: | nobody → Robert Ancell (robert-ancell) |
| status: | Triaged → In Progress |
| Changed in lightdm (Ubuntu): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| Robert Ancell (robert-ancell) wrote : | #3 |
| Robert Ancell (robert-ancell) wrote : | #4 |
| Robert Ancell (robert-ancell) wrote : | #5 |
I've identified and fixed the leaks for both the trunk and 1.0. These patches are not pushed anywhere except this bug and when committed will be immediately released in lightdm 1.0.8 and 1.1.4. Both patches contain regression tests to check no unknown file descriptors are passed to a session after a login.
The leaking file descriptors (7) were:
- The lightdm daemon log (write)
- The signal pipe used in the daemon to send signal notifications into the GLib main loop (read/write) - could potentially stop the daemon by simulating a SIGTERM.
- Two pipes used by the greeter to communicate with the daemon (both read/write). This pipe should be unused by this point (it would have been used to negotiate the session) but I haven't investigated if you could do any damage with it at this point.
These patches also need to be updated to check what happens when an XDMCP/VNC server is running as those fds might also leak.
I'm asking the Canonical security team to help with the timing of these releases; Yves-Alexis, Guido, let me know what you guys need there too.
| Robert Ancell (robert-ancell) wrote : | #6 |
Updated patch with regression tests that confirm XDMCP and VNC sessions don't have the socket file descriptors leaked to them.
| Yves-Alexis Perez (corsac) wrote : | #7 |
I'm ok for a release (as it's not in stable it's ok to push a new upstream release), I can upload a 1.0.8 to Debian today.
| Guido Berhoerster (gber) wrote : | #8 |
That'd be ok from my side as well, if you plan to delay the release please let me know the date.
| Yves-Alexis Perez (corsac) wrote : | #9 |
Any news for a release? (I can prepare packages with patches since the bug is public anyway, but if you prefer coordinated release it'd be nice to do it faster than slower :)
| Yves-Alexis Perez (corsac) wrote : | #10 |
Ping?
| Robert Ancell (robert-ancell) wrote : | #11 |
OK, security team says good to go. I've pushed these changes the the lightdm bzr branches and you guys can release whenever you like.
| Changed in lightdm (Ubuntu Precise): | |
| assignee: | nobody → Robert Ancell (robert-ancell) |
| Changed in lightdm (Ubuntu Oneiric): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| status: | New → In Progress |
| importance: | Undecided → High |
| Changed in lightdm: | |
| status: | In Progress → Fix Released |
| Guido Berhoerster (gber) wrote : | #12 |
Could you make this bug publicly accessible and obtain a CVE for it?
| Martin Pitt (pitti) wrote : | #13 |
The Debian bug is public, so I see little reason to keep this private. Making public.
| visibility: | private → public |
| tags: | added: patch |
| Marc Deslauriers (mdeslaur) wrote : | #14 |
CVE requested: http://
| Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.4
---------------
lightdm (1.0.6-0ubuntu1.4) oneiric-security; urgency=low
* SECURITY UPDATE: file descriptor leak to child processes (LP: #927060)
- debian/
src/*.c, add tests to tests/*.
- CVE number pending
-- Marc Deslauriers <email address hidden> Sun, 04 Mar 2012 19:29:04 -0500
| Changed in lightdm (Ubuntu Oneiric): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package lightdm - 1.1.6-0ubuntu1
---------------
lightdm (1.1.6-0ubuntu1) precise; urgency=low
* Upload the new version to Ubuntu
* Reshuffle a bit the vcs to use merge upstream correctly
[ Robert Ancell ]
* New upstream release:
- Fix session wrapper working the same as it did in 1.1.3 (lp: #944736)
- Stop file descriptors leaking into the session processes (lp: #927060)
[ Martin Pitt ]
* debian/control: Fix liblightdm-
-- Sebastien Bacher <email address hidden> Tue, 06 Mar 2012 13:45:29 +0100
| Changed in lightdm (Ubuntu Precise): | |
| status: | In Progress → Fix Released |
| Changed in lightdm (Debian): | |
| status: | Confirmed → Fix Released |
Any news on this?