There may also exist a security issue, where user alice creates specially crafted keymaps in /tmp/$HASH.xkm and then user bob launched X and the X system tries to re-use alice's evil keymap.
I'm unsure if the X server keymap loader is exploitable, but it is likely that keymaps should not be shared between users in this way (if nothing else, alice can upload a wacky keymap and bob may not know how to turn it off.) -A -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xorg-server in Ubuntu. https://bugs.launchpad.net/bugs/972324 Title: server fails to start up if TMPDIR is set to something on a different filesystem from /var/lib/xkb Status in “xorg-server” package in Ubuntu: Triaged Bug description: If TMPDIR is set to something on a different filesystem from /var/lib/xkb, then the X server fails to start up as follows: [xkb] Can't rename /tmp/tmp.qHzEh1iHUk/dsc0-build/tmpdir/fileAfodkU to /var/lib/xkb/server-B20D7FC79C7F597315E3E501AEF10E0D866E8E92.xkm, error: Invalid cross-device link (EE) XKB: Couldn't compile keymap (EE) XKB: Failed to load keymap. Loading default keymap instead. [xkb] Can't rename /tmp/tmp.qHzEh1iHUk/dsc0-build/tmpdir/fileF2rYOh to /var/lib/xkb/server-B20D7FC79C7F597315E3E501AEF10E0D866E8E92.xkm, error: Invalid cross-device link (EE) XKB: Couldn't compile keymap XKB: Failed to compile keymap A simple way to reproduce this is to start a fresh schroot (preferably with overlayfs or LVM snapshots so that you can start from scratch trivially), make sure no /var/lib/xkb/server-*.xkm files exist, and run 'TMPDIR=/tmp xvfb-run sh'. This is because XkbDDXCompileKeymapByNames uses tempnam(xkm_output_dir, NULL) to create a temporary file. As documented, tempnam(3) prefers TMPDIR over the directory argument if TMPDIR is set. Perhaps this code should use something based on mkstemp(3) instead, which would permit finer-grained control. This makes it tedious to run DEP-8 test suites that require Xvfb, because adt-run sets TMPDIR. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/972324/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
