forwarded 492282 http://bugzilla.gnome.org/show_bug.cgi?id=544672
thanks

Le jeudi 24 juillet 2008 à 22:56 +0200, Stefan Fritsch a écrit :
> Package: seahorse
> Version: 2.22.3-1
> Severity: normal
> Tags: security
> 
> Seahorse leaks file descriptors to processes started with "seahorse-agent
> --execute", including the gpg agent listening socket. For the default setup,
> this means that all processes started from the desktop inherit those FDs and 
> can
> possibly use them. This can be a security issue because the FDs are also
> inherited to processes started with su as a different user which normally 
> would
> not have access to gpg key and gpg agent socket.
> 
> Seahorse should use fcntl to set FD_CLOEXEC on its FDs.

Indeed, this can easily be confirmed by looking at gnome-session’s file
descriptors.

However it seems that gnome-session itself correctly closes the file
descriptors before spawning anything else, so they are not leaked
further. What makes you think all desktop processes will inherit from
them?

Cheers,
-- 
 .''`.
: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée

Reply via email to