mailing list archives
Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Thu, 21 Jul 2011 14:32:55 -0400
:This may be an odd request. The proprietary fglrx driver has an
:info disclosure flaw in one of it's shell scripts . It passes the
One could argue that the shell script itself is "open source".
:xauth secret cookie in an insecure manner (such that it's exposed to
:prying eyes in the output of ps for example).
:The oddness in this request is that the driver is proprietary; but
:then again it is also included in most linux distributions in one form
:or another, so I think oss-sec is an appropriate forum. There is also
:a specific additional right granted in the script's header: "Distro
:maintainers may modify this reference script as necessary to conform
:to their distribution policies."
:This is debian bug #625868 , and I've commited an untested fix
:(I don't use authatieventsd myself) to our svn repo .
:Note that there is discussion in the bug report claiming the
:debian-specific patch is to blame, but that conclusion is incorrect.
:The same flaw is also present in the upstream ati code as well.
:The debian code is only different in that it was made to handle a
:slightly different use case, but the underlying flaw is indeed
:present in both, so other distros are very likely affected as well.
:Note also that xauth's design makes this insecure usage seem like
:an obvious solution for the cookie handling problem, so there are
:probably many other flawed implementations like this, which could
:be found by grepping for xauth and auditing those cases handling
:the secret cookie. This may be something worth calling out as a
It looks like you've seen the same kind of thing before:
This may be worth a mention in the xauth man page.
:Credit goes to Vincent Zweije who submitted the debian bug report.
Michael J. O'Connor mjo () dojo mi org
"Supermodels don't usually date guys who live in the dirt." -The Tick