Note: This is an archival copy of Security Sun Alert 200413 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000298.1.
Article ID : 1000298.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-01-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in X Display Manager (xdm(1)) Xsession Script

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6388471, 6423858

Date of Workaround Release
06-OCT-2006

Date of Resolved Release
29-JAN-2007

Impact

The X Display Manager (xdm(1)) manages a collection of X displays which may be on the local host or remote servers. A race condition in the Xsession script executed by xdm(1) my lead to either of the following issues:

1. A local unprivileged user may be able to view the xdm(1) error log file, $HOME/.xsession-errors, of another user (BugID 6388471).

This issue is also described in Xorg bug 5897:

https://bugs.freedesktop.org/show_bug.cgi?id=5897

2. A local unprivileged user may be able to view the alternate xdm(1) error log file, ${TMP-/tmp}/xses-$USER, of another user. In addition, when this alternate log file is in use, a local unprivileged user may be able to erase the contents of arbitrary files which are writable by another user. This alternate log file is only used if the $HOME/.xsession-errors file could not be created (BugID 6423858).

This issue is also described in Xorg bug 5898:

https://bugs.freedesktop.org/show_bug.cgi?id=5898


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 111844-04
  • Solaris 9 without patch 124830-01
  • Solaris 10 without patch 124457-01

x86 Platform

  • Solaris 8 without patch 111845-04
  • Solaris 9 without patch 124831-01
  • Solaris 10 without patch 124458-01

Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.


Workaround

To work around the described issues (until a patch is available), consider one of the two following workarounds:

A) Use an alternate login mechanism such as dtlogin(1) or if using Solaris 10, gdm(1).

or:

B) Modify the xdm(1) configuration file, xdm-config, and create a new Xsession file using the following commands as the root user:

    # cd /usr/openwin/lib/X11/xdm
    # mv xdm-config xdm-config.orig
    # sed -e 's/cp \/dev\/null "$errfile"/umask 077 \&\& cp \/dev\/null "$errfile"/' Xsession > /etc/X11/Xsession
    # sed -e 's/\/usr\/openwin\/lib\/X11\/xdm\/Xsession/\/etc\/X11\/Xsession/' xdm-config.orig > xdm-config

then restore executable permissions to the file by running the following command:

    # chmod 755 Xsession

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 111844-04 or later
  • Solaris 9 with patch 124830-01 or later
  • Solaris 10 with patch 124457-01 or later

x86 Platform

  • Solaris 8 with patch 111845-04 or later
  • Solaris 9 with patch 124831-01 or later
  • Solaris 10 with patch 124458-01 or later


Modification History
Date: 12-OCT-2006

12-Oct-2006:

  • Updated Relief/Workaround section

Date: 16-OCT-2006

16-Oct-2006:

  • Updated Contributing Factors and Workaround sections

Date: 14-DEC-2006

14-Dec-2006:

  • Updated Contributing Factors and Resolution sections

Date: 29-JAN-2007

29-Jan-2007:

  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

124457-01
124458-01
124830-01
124831-01
111844-04
111845-04




Attachments
This solution has no attachment