[Pkg-fglrx-devel] Bug#625868: Bug#625868: auth event shows secret xauth cookie on command line
Patrick Matthäi
pmatthaei at debian.org
Mon May 9 06:57:24 UTC 2011
Am 08.05.2011 23:58, schrieb Vincent Zweije:
> On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote:
>
> || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong:
>
> ||> revoke)
> ||> if [ `pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` ]; then
> ||> user=`pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'`
> ||> su $user -c "xauth -f $3 remove $2" || exit -1
> ||> else
> ||> xauth -f $3 remove $2 || exit -1
> ||
> || And strictly speaking, the same twice here, but the secret is being
> || removed so exploiting its knowledge would be very hard though not
> || theoretically impossible. Anyway, if your fixing the grant case, do the
> || revoke case at the same time so they use the same method. It's just good
> || software engineering.
>
> I think I had my eyes crossed here. No secret cookie is being mentioned,
> only the display name which is not secret.
Do you want to say, that the security part of this bug could be closed?
Sorry yes I mean 11-4, not 10-4 :)
More information about the Pkg-fglrx-devel
mailing list