[Pkg-fglrx-devel] Bug#625868: Bug#625868: auth event shows secret xauth cookie on command line

Moritz Muehlenhoff jmm at inutil.org
Sat May 28 09:37:31 UTC 2011 

On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matthäi wrote:
> Am 09.05.2011 10:01, schrieb Vincent Zweije:
> > On Mon, May 09, 2011 at 08:57:24AM +0200, Patrick Matth?i wrote:
> > 
> > ||  Am 08.05.2011 23:58, schrieb Vincent Zweije:
> > ||  >On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote:
> > ||  >
> > ||  >||  Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong:
> > ||  >
> > ||  >||>      revoke)
> > ||  >||>          if [ `pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` ]; then
> > ||  >||>      	user=`pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'`
> > ||  >||>      	su $user -c "xauth -f $3 remove $2" || exit -1
> > ||  >||>          else
> > ||  >||>      	xauth -f $3 remove $2 || exit -1
> > ||  >||
> > ||  >||  And strictly speaking, the same twice here, but the secret is being
> > ||  >||  removed so exploiting its knowledge would be very hard though not
> > ||  >||  theoretically impossible. Anyway, if your fixing the grant case, do the
> > ||  >||  revoke case at the same time so they use the same method. It's just good
> > ||  >||  software engineering.
> > ||  >
> > ||  >I think I had my eyes crossed here. No secret cookie is being mentioned,
> > ||  >only the display name which is not secret.
> > ||  Do you want to say, that the security part of this bug could be closed?
> > 
> > Sorry, no, only that the "revoke" part has no security problem. The
> > "grant" part still does.
> > 
> > ||  Sorry yes I mean 11-4, not 10-4 :)
> > 
> > Right. Well, if the offending code is gone in 11-4 that would be the
> > end of the problem, but even without checking I suspect it's still there.
> > 
> > Ciao.                                                            Vincent.
> 
> 
> It looks like those issue were introduced by Debian years ago with the
> patch 03-authatieventsd.sh.diff and I can't say for what it is realy
> there (it already was available @ fglrx, where I was not the maintainer).
> Could you please deapply it and look if everything is right?

Vincent, did you test it?

Cheers,
        Moritz

More information about the Pkg-fglrx-devel mailing list