#200413: Security Vulnerability in X Display Manager (xdm(1)) Xsession Script

Security Vulnerability in X Display Manager (xdm(1)) Xsession Script

Category :	Security
Release Phase :	Resolved
Product :	Solaris 9 Operating System Solaris 10 Operating System Solaris 8 Operating System
Bug Id :	6388471, 6423858
Date of Workaround Release :	06-OCT-2006
Date of Resolved Release :	29-JAN-2007

Impact

The X Display Manager (xdm(1)) manages a collection of X displays which may be on the local host or remote servers. A race condition in the Xsession script executed by xdm(1) my lead to either of the following issues:

1. A local unprivileged user may be able to view the xdm(1) error log file, $HOME/.xsession-errors, of another user (BugID 6388471).

This issue is also described in Xorg bug 5897:

https://bugs.freedesktop.org/show_bug.cgi?id=5897

2. A local unprivileged user may be able to view the alternate xdm(1) error log file, ${TMP-/tmp}/xses-$USER, of another user. In addition, when this alternate log file is in use, a local unprivileged user may be able to erase the contents of arbitrary files which are writable by another user. This alternate log file is only used if the $HOME/.xsession-errors file could not be created (BugID 6423858).

This issue is also described in Xorg bug 5898:

https://bugs.freedesktop.org/show_bug.cgi?id=5898

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 8 without patch 111844-04
Solaris 9 without patch 124830-01
Solaris 10 without patch 124457-01

x86 Platform

Solaris 8 without patch 111845-04
Solaris 9 without patch 124831-01
Solaris 10 without patch 124458-01

Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

Workaround

To work around the described issues (until a patch is available), consider one of the two following workarounds:

A) Use an alternate login mechanism such as dtlogin(1) or if using Solaris 10, gdm(1).

or:

B) Modify the xdm(1) configuration file, xdm-config, and create a new Xsession file using the following commands as the root user:

    # cd /usr/openwin/lib/X11/xdm

    # mv xdm-config xdm-config.orig

    # sed -e 's/cp \/dev\/null "$errfile"/umask 077 \&\& cp \/dev\/null "$errfile"/' Xsession > /etc/X11/Xsession

    # sed -e 's/\/usr\/openwin\/lib\/X11\/xdm\/Xsession/\/etc\/X11\/Xsession/' xdm-config.orig > xdm-config

then restore executable permissions to the file by running the following command:

    # chmod 755 Xsession

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 8 with patch 111844-04 or later
Solaris 9 with patch 124830-01 or later
Solaris 10 with patch 124457-01 or later

x86 Platform

Solaris 8 with patch 111845-04 or later
Solaris 9 with patch 124831-01 or later
Solaris 10 with patch 124458-01 or later

Modification History

Date: 12-OCT-2006

12-Oct-2006:

Updated Relief/Workaround section

Date: 16-OCT-2006

16-Oct-2006:

Updated Contributing Factors and Workaround sections

Date: 14-DEC-2006

14-Dec-2006:

Updated Contributing Factors and Resolution sections

Date: 29-JAN-2007

29-Jan-2007:

Updated Contributing Factors and Resolution sections
State: Resolved

Attachments

This solution has no attachment

Login Required

Login Required