[Pkg-fglrx-devel] Bug#625868: Bug#625868: auth event shows secret xauth cookie on command line

Patrick Matthäi pmatthaei at debian.org
Sun May 8 20:06:08 UTC 2011 

Am 06.05.2011 15:10, schrieb Giuseppe Iuculano:
> Package: fglrx-atieventsd
> Version: 1:11-3-1
> Severity: grave
> Tags: security
> 
> 
> 
> Hi Vincent,
> 
> thanks for contacting us, fglrx-driver is non-free, but I'm opening a
> new Debian bug against it.
> 
> Cheers,
> Giuseppe.
> 
> On 05/04/2011 11:12 AM, Vincent Zweije wrote:
>> Package: fglrx-atieventsd
>> Version: 1:11-3-1
>> Severity: grave
>> Tags: security
>>
>> After having logged on and off on a gnome testing system, I can see the
>> xauth X authentication cookie in the process list, even as another user:
>>
>> nobody at arrow:/$ ps axlO+T | grep ati[e]vnt
>> 0     0 32530 23664  20   0   3264   804 ?      S    ?          0:00 /bin/sh /etc/ati/authatieventsd.sh grant :0 /tmp/atievntX.aWEZgM
>> 4  1000 32548 32530  20   0   4296   628 ?      S    ?          0:00 su vincent -c xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18
>> 0  1000 32555 32548  20   0   2936   324 ?      S    ?          0:00 xauth -f /tmp/atievntX.aWEZgM add :0 . 76662e1da9b24d7ce5de363900837c18
>> nobody at arrow:/$ 
>>
>> Such a cookie allows in principle unlimited access to an X server,
>> with possibilities for, for instance, keystroke snooping.
>>
>> Although the relevant X session is already closed in this example, this
>> information must also have been present when the session was still active.
>>
>> Xauth allows for such cookies to be read from stdin instead of from
>> the command line. There is no justification for passing it on the
>> command line.

Hello,

I am a bit limited in my time, but I tried to reproduce it with fglrx
10-4 from unstable and kdm as login manager, but I were not suc.
* grepping for it => false
* logging in and then grepping for it => false
* after that shutting down kdm => false

Could you please retest it with 10-4? Did you installed the driver from
another location (amd website e.g.) before?

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei at debian.org
        patrick at linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-fglrx-devel/attachments/20110508/f37e8b1b/attachment.pgp>

More information about the Pkg-fglrx-devel mailing list