Subject: xsrc/32804: minor security glitch in Xsession (xorg and xsrc)
To: None <xsrc-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <smb@cs.columbia.edu>
List: netbsd-bugs
Date: 02/12/2006 14:05:00
>Number: 32804
>Category: xsrc
>Synopsis: there's a race condition setting log file permissions in Xsession
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: xsrc-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 12 14:05:00 +0000 2006
>Originator: Steven M. Bellovin
>Release: NetBSD 3.99.15
>Organization:
>Environment:
System: NetBSD bigboy.machshav.com 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 smb@bigboy.machshav.com:/usr/BUILD/obj/sys/arch/i386/compile/BIGBOY i386
Architecture: i386
Machine: i386
>Description:
Near the start of Xsession -- both the pkgsrc and xsrc versions --
there is the following code:
if ( cp /dev/null "$errfile" 2> /dev/null )
then
chmod 600 "$errfile"
an attacker who got in at just the right time could open the file
for read before the chmod.
>How-To-Repeat:
See above
>Fix:
Delete the chmod and change the first line to
if (umask 077 && cp /dev/null "$errfile" 2> /dev/null )
>Unformatted: