Your message dated Fri, 16 Oct 2009 04:17:48 +0000 with message-id <e1myegc-0005cz...@ries.debian.org> and subject line Bug#529306: fixed in slim 1.3.1-2 has caused the Debian Bug report #529306, regarding slim: insecure xauth secret to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 529306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: slim Version: 1.3.0-2 Severity: grave Tags: security Hi, >From app.cpp: 1134 void App::CreateServerAuth() { 1135 /* create mit cookie */ 1136 int i, r; 1137 int hexcount = 0; 1138 string authfile; 1139 string cmd; 1140 char *digits = "0123456789abcdef"; 1141 srand( time(NULL) ); 1142 for ( i = 0; i < 31; i++ ) { 1143 r = rand()%16; 1144 mcookie[i] = digits[r]; 1145 if (r>9) 1146 hexcount++; 1147 } 1148 /* MIT-COOKIE: even occurrences of digits and hex digits */ 1149 if ((hexcount%2) == 0) { 1150 r = rand()%10; 1151 } else { 1152 r = rand()%5+10; 1153 } 1154 mcookie[31] = digits[r]; 1155 /* reinitialize auth file */ 1156 authfile = cfg->getOption("authfile"); 1157 remove(authfile.c_str()); 1158 putenv(StrConcat("XAUTHORITY=", authfile.c_str())); 1159 cmd = cfg->getOption("xauth_path") + " -q -f " + authfile + " add :0 . " + mcookie; 1160 system(cmd.c_str()); 1161 } This function is used to create the x authority file in /var/run which is then copied into the users home directory on login. However this function somehow defeats the purpose of xauth as the file itself is generated by executing xauth via system and includes mcookie (the secret hex string) in the command line. So as an attacker I can watch the process list, grab the mcookie string and generate my own x auth cookie to have fun with the victims X session. The same problem exists in switchuser.cpp. The easy fix would be to read this from stdin, xauth supports this. As small remark... I think using the time as a source for random data is also suboptimal in this case. Cheers Nico
--- End Message ---
--- Begin Message ---Source: slim Source-Version: 1.3.1-2 We believe that the bug you reported is fixed in the latest version of slim, which is due to be installed in the Debian FTP archive: slim_1.3.1-2.diff.gz to pool/main/s/slim/slim_1.3.1-2.diff.gz slim_1.3.1-2.dsc to pool/main/s/slim/slim_1.3.1-2.dsc slim_1.3.1-2_i386.deb to pool/main/s/slim/slim_1.3.1-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 529...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nobuhiro Iwamatsu <iwama...@debian.org> (supplier of updated slim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 21 Sep 2009 15:52:33 +0900 Source: slim Binary: slim Architecture: source i386 Version: 1.3.1-2 Distribution: unstable Urgency: low Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org> Changed-By: Nobuhiro Iwamatsu <iwama...@debian.org> Description: slim - desktop-independent graphical login manager for X11 Closes: 505332 510469 529306 536542 Changes: slim (1.3.1-2) unstable; urgency=low . * Add Jens Peter Secher to Uploaders list. * Update es.po (Closes: #510469) * Fix FTBFS with GCC 4.4. (Closes: #505332) * Fix insecure xauth secret. (Closes: #529306) * Fix allows login as root without password. (Closes: #536542) - Wrote explanation about this problem to README.Debian. Checksums-Sha1: 5119604aacafbdaa7262c6354ea393c2ac9e0d74 1116 slim_1.3.1-2.dsc ed59be2979a66da6991f6845f5a3139428423ca3 661700 slim_1.3.1-2.diff.gz cd3bccc47f109c65e5b8332c968949be73328a45 817378 slim_1.3.1-2_i386.deb Checksums-Sha256: 05bc56c6e0b8b1f7885528db5c95ce1eaf8a126a2d3ab64b82c0e0619124bf89 1116 slim_1.3.1-2.dsc dec450826bf00393f7a4e5ddab0266c33bdec1b4340c886e1d6cd6b44d74d6a5 661700 slim_1.3.1-2.diff.gz 731d0ec9702594dd51154957b542a38896c4ee92cf36c8f98260751557b8edbf 817378 slim_1.3.1-2_i386.deb Files: 6a2e27f370abb242163e3c2b10ddc266 1116 x11 optional slim_1.3.1-2.dsc 1feb39759d74b09e4823008f549573a6 661700 x11 optional slim_1.3.1-2.diff.gz 38f1310801713ba27b9cf03dce0385ea 817378 x11 optional slim_1.3.1-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrX7qUACgkQQSHHQzFw6+npRQCfeL+5qMhjIkD/J0lG0cNoLpzc yDgAnigOADGH0YOhAkGVfylIGGcmWET8 =RjkV -----END PGP SIGNATURE-----
--- End Message ---
