Package: xbase-clients Version: 4.3.0.dfsg.1-14 Priority: normal Tags: security
The x11perfcomp script in xbase-clients holds two different race conditions that might be exploitable against users running the script if the user is using unsafe umasks: 1.- The script creates a directory without properly setting an umask for the temporary directory is created, since the files created within the directory are predictable (numbers) an attacker could introduce symlink attacks after the directory was created. 2.- The script removes the temporary directory twice if it runs succesfully, once at the end of the script and another when the 'trap 0' code gets executed. Finally, it sets the PATH directory to '.' prepending all other PATHs which might be unsafe if the script is run in directories which other users have write access to (i.e. tmp). The attached patch tries to fix all these issues, I've decided to remove the '.' in PATH since it does not seem to be necessary. I've necessary, it should be added to the end of the PATH definition (instead of the beginning). Regards Javier PS: Since only users with problematic umasks can be targeted I'm setting this security bug with normal severity.
--- x11perfcomp.orig 2005-08-05 17:38:32.000000000 +0200
+++ x11perfcomp 2005-08-05 17:46:08.000000000 +0200
@@ -21,13 +21,13 @@
#
# $Xorg: x11pcomp.cpp,v 1.3 2000/08/17 19:54:10 cpqbld Exp $
-PATH=/usr/X11R6/lib/X11/x11perfcomp:.:$PATH
+PATH=/usr/X11R6/lib/X11/x11perfcomp:$PATH
export PATH
set -e
tmp=${TMPDIR-/tmp}/rates.$$
-trap "rm -rf $tmp" 0 1 2 15
-mkdir $tmp || exit 1
+trap "[ -d $tmp ] && rm -rf $tmp" 0 1 2 15
+(umask 0077; mkdir $tmp) || exit 1
mkdir $tmp/rates
ratio=
allfiles=
@@ -92,4 +92,5 @@
echo ''
(echo Operation; echo '---------'; cat $tmp/labels) |
paste $allfiles - | sed 's/ / /g' | $ratio
-rm -rf $tmp
+
+exit 0
signature.asc
Description: Digital signature
