Your message dated Tue, 18 Aug 2009 22:41:18 +0100
with message-id <1250631678.082462.5742.nullmai...@kmos.homeip.net>
and subject line Package slim has been removed from Debian
has caused the Debian Bug report #529306,
regarding slim: insecure xauth secret
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
529306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: slim
Version: 1.3.0-2
Severity: grave
Tags: security
Hi,
>From app.cpp:
1134 void App::CreateServerAuth() {
1135 /* create mit cookie */
1136 int i, r;
1137 int hexcount = 0;
1138 string authfile;
1139 string cmd;
1140 char *digits = "0123456789abcdef";
1141 srand( time(NULL) );
1142 for ( i = 0; i < 31; i++ ) {
1143 r = rand()%16;
1144 mcookie[i] = digits[r];
1145 if (r>9)
1146 hexcount++;
1147 }
1148 /* MIT-COOKIE: even occurrences of digits and hex digits */
1149 if ((hexcount%2) == 0) {
1150 r = rand()%10;
1151 } else {
1152 r = rand()%5+10;
1153 }
1154 mcookie[31] = digits[r];
1155 /* reinitialize auth file */
1156 authfile = cfg->getOption("authfile");
1157 remove(authfile.c_str());
1158 putenv(StrConcat("XAUTHORITY=", authfile.c_str()));
1159 cmd = cfg->getOption("xauth_path") + " -q -f " + authfile + " add :0 .
" + mcookie;
1160 system(cmd.c_str());
1161 }
This function is used to create the x authority file in /var/run which is
then copied into the users home directory on login. However this function
somehow defeats the
purpose of xauth as the file itself is generated by executing xauth via system
and includes
mcookie (the secret hex string) in the command line. So as an attacker I can
watch the process
list, grab the mcookie string and generate my own x auth cookie to have fun
with the victims
X session. The same problem exists in switchuser.cpp.
The easy fix would be to read this from stdin, xauth supports this. As small
remark...
I think using the time as a source for random data is also suboptimal in this
case.
Cheers
Nico
--- End Message ---
--- Begin Message ---
Version: 1.3.0-2+rm
You filled the bug http://bugs.debian.org/529306 in Debian BTS
against the package slim. I'm closing it as fixed in *unstable*,
but it will remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/538921. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
