[Pkg-fglrx-devel] Bug#625868: Bug#625868: auth event shows secret xauth cookie on command line

Patrick Matthäi pmatthaei at debian.org
Mon Jul 4 19:01:05 UTC 2011 

I have attached the diff, I had comitted to the subversion repository.

Am 04.07.2011 15:23, schrieb Vincent Zweije:
> On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matth?i wrote:
> 
> ||  It looks like those issue were introduced by Debian years ago with the
> ||  patch 03-authatieventsd.sh.diff and I can't say for what it is realy
> ||  there (it already was available @ fglrx, where I was not the maintainer).
> ||  Could you please deapply it and look if everything is right?
> 
> Finally got around to looking at it.
> 
> Patch 03-* did not introduce the bad code, it just modified it. It
> contains the following part:
> 
>     -        if [ -n "$DISP_AUTH_KEY" ]; then
>     -            xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1
>     -        else
>     -            exit -1
> 
> Which means the original code already passes $DISP_AUTH_KEY on the
> command line.
> 
> Indeed, upstream source contains this snippet:
> 
>         DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'`
>         if [ -n "$DISP_AUTH_KEY" ]; then
>             xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1
>         else
>             exit -1
>         fi
> 
> which should probably be something like:
> 
>         DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'`
>         if [ -n "$DISP_AUTH_KEY" ]; then
>             echo "$2 . $DISP_AUTH_KEY" | xauth -f $3 merge - || exit -1
>         else
>             exit -1
>         fi
> 
> under the assumption that echo runs as a shell builtin, so does not use
> execve, so its command line arguments cannot be snarfed from outside.
> 
> However, better would be to put everything inside the pipeline and
> never read the cookie into a variable at all, saving an if as well
> (completely untested):
> 
>         xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | \
>             awk '{printf "%s %s %s\n","'$2'",$2,$3}' | xauth -f $3 merge -
>         exit -1
> 
> You'll have to merge this with patch 03-*.
> 
> Ciao.                                                        Vincent.


-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei at debian.org
        patrick at linux-dev.org
*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fglrx_aae.diff
Type: text/x-diff
Size: 1363 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fglrx-devel/attachments/20110704/11aa48fc/attachment.diff>

More information about the Pkg-fglrx-devel mailing list