Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Thu, 21 Jul 2011 14:32:55 -0400

:Hi,
:
:This may be an odd request.  The proprietary fglrx driver has an
:info disclosure flaw in one of it's shell scripts [0].  It passes the

One could argue that the shell script itself is "open source".

:xauth secret cookie in an insecure manner (such that it's exposed to
:prying eyes in the output of ps for example).
:
:The oddness in this request is that the driver is proprietary; but
:then again it is also included in most linux distributions in one form
:or another, so I think oss-sec is an appropriate forum.  There is also
:a specific additional right granted in the script's header: "Distro
:maintainers may modify this reference script as necessary to conform
:to their distribution policies."
:
:This is debian bug #625868 [1], and I've commited an untested fix
:(I don't use authatieventsd myself) to our svn repo [2].
:
:Note that there is discussion in the bug report claiming the
:debian-specific patch is to blame, but that conclusion is incorrect.
:The same flaw is also present in the upstream ati code as well.
:The debian code is only different in that it was made to handle a
:slightly different use case, but the underlying flaw is indeed
:present in both, so other distros are very likely affected as well.
:
:Note also that xauth's design makes this insecure usage seem like
:an obvious solution for the cookie handling problem, so there are
:probably many other flawed implementations like this, which could
:be found by grepping for xauth and auditing those cases handling
:the secret cookie.  This may be something worth calling out as a
:CWE.

It looks like you've seen the same kind of thing before:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306

This may be worth a mention in the xauth man page.

:Credit goes to Vincent Zweije who submitted the debian bug report.
:
:Best wishes,
:Mike
:
:[0] common/etc/ati/authatieventsd.sh
:[1] http://bugs.debian.org/625868
:[2] svn://svn.debian.org/svn/pkg-fglrx/fglrx-driver/trunk

-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Supermodels don't usually date guys who live in the dirt."         -The Tick

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]