oss-sec mailing list archives
Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Thu, 21 Jul 2011 14:32:55 -0400
:Hi, : :This may be an odd request. The proprietary fglrx driver has an :info disclosure flaw in one of it's shell scripts [0]. It passes the One could argue that the shell script itself is "open source". :xauth secret cookie in an insecure manner (such that it's exposed to :prying eyes in the output of ps for example). : :The oddness in this request is that the driver is proprietary; but :then again it is also included in most linux distributions in one form :or another, so I think oss-sec is an appropriate forum. There is also :a specific additional right granted in the script's header: "Distro :maintainers may modify this reference script as necessary to conform :to their distribution policies." : :This is debian bug #625868 [1], and I've commited an untested fix :(I don't use authatieventsd myself) to our svn repo [2]. : :Note that there is discussion in the bug report claiming the :debian-specific patch is to blame, but that conclusion is incorrect. :The same flaw is also present in the upstream ati code as well. :The debian code is only different in that it was made to handle a :slightly different use case, but the underlying flaw is indeed :present in both, so other distros are very likely affected as well. : :Note also that xauth's design makes this insecure usage seem like :an obvious solution for the cookie handling problem, so there are :probably many other flawed implementations like this, which could :be found by grepping for xauth and auditing those cases handling :the secret cookie. This may be something worth calling out as a :CWE. It looks like you've seen the same kind of thing before: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526678 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306 This may be worth a mention in the xauth man page. :Credit goes to Vincent Zweije who submitted the debian bug report. : :Best wishes, :Mike : :[0] common/etc/ati/authatieventsd.sh :[1] http://bugs.debian.org/625868 :[2] svn://svn.debian.org/svn/pkg-fglrx/fglrx-driver/trunk -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Supermodels don't usually date guys who live in the dirt." -The Tick
Attachment:
_bin
Description:
Current thread:
- cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver Michael Gilbert (Jul 18)
- Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver Mike O'Connor (Jul 21)
- Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver Michael Gilbert (Jul 22)
- Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver Michael Gilbert (Aug 03)
- Re: cve id request: insecure xauth cookie handling in fglrx (ati catalyst) driver Mike O'Connor (Jul 21)