Insecure xfs start/stop script
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openSUSE |
Fix Released
|
Unknown
|
|||
xfs (Debian) |
Fix Released
|
Unknown
|
|||
xfs (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: xfs
The xfs start/stop script /etc/init.d/xfs is insecure. There is a problematic function set_up_socket_dir in this script:
SOCKET_
[...]
set_up_socket_dir () {
echo -n "Setting up X font server socket directory $SOCKET_DIR..."
if [ -e $SOCKET_DIR ] && ! [ -d $SOCKET_DIR ]; then
mv $SOCKET_DIR $SOCKET_DIR.$$
fi
if ! [ -d $SOCKET_DIR ]; then
mkdir -m 1777 $SOCKET_DIR || :
do_restorecon $SOCKET_DIR || :
fi
echo "done."
}
This function moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately $$ is predictable and there is no test, that /tmp/.font-unix.$$ does not already exist. So especially symlink attacks are possible. The attack is only possible, if /tmp/.font-unix does not already exist. Then an attacker could create an /tmp/.font-unix file (not directory) and create some symlinks in the form /tmp/.font-
I suggest to delete the contents of /tmp/.font-unix is this file is not a directory. For instance "rm -rf /tmp/.font-unix" should be ok ("rm" from coreutils should be safe). A possible fix is also described here: https:/
The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is attached.
[lspci]
00:00.0 Host bridge [0600]: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP 340M] [1002:cbb2] (rev 02)
Subsystem: Sony Corporation Device [104d:8175]
01:05.0 VGA compatible controller [0300]: ATI Technologies Inc M9+ 5C61 [Radeon Mobility 9200 (AGP)] [1002:5c61] (rev 01)
Subsystem: Sony Corporation Device [104d:8175]
description: | updated |
Changed in xfs (Ubuntu): | |
importance: | Undecided → Low |
status: | Incomplete → Triaged |
tags: | added: hardy |
Changed in xfs (Debian): | |
status: | Unknown → New |
Changed in xfs (Debian): | |
status: | New → Fix Released |
[This is an automated message]
Hi bjoern,
Please attach the output of `lspci -vvnn` too.