Package: libx11-6 Version: 2:1.0.3-4 Severity: critical Tags: security Justification: root security hole
First of all, I tagged this bug as critical because the description in reportbug fit, but as the issue is relatively harmless and not directly caused by libx11, feel free to reprioritise, I will know in the future. I hope I did the right thing. Thanks - and possibly sorry! Anyways, libx11 leaks the contents of .XCompose to subprocess, because it does not close the file descriptor nor does it set the cloexec flag on the filehandle. Such leaks are usually very pervasive as few programs care for fds they did not open. For example, under a urxvtd terminal window running bash: cerebro ~# ls -l /proc/self/fd total 5 lrwx------ 1 root root 64 Dec 7 00:26 0 -> /dev/pts/6 lrwx------ 1 root root 64 Dec 7 00:26 1 -> /dev/pts/6 lrwx------ 1 root root 64 Dec 7 00:26 2 -> /dev/pts/6 lr-x------ 1 root root 64 Dec 7 00:26 3 -> /proc/5984/fd lr-x------ 1 root root 64 Dec 7 00:26 10 -> /localvol/root/.XCompose from an xterm started from the above window, using bash: lr-x------ 1 root root 64 Dec 7 00:11 5 -> /localvol/root/.XCompose lr-x------ 1 root root 64 Dec 7 00:11 10 -> /localvol/root/.XCompose and so on, I get one .XCompose fd per nesting level. from "su nobody" started in above xterm: lrwx------ 1 nobody nogroup 64 Dec 7 00:27 0 -> /dev/pts/9 lrwx------ 1 nobody nogroup 64 Dec 7 00:27 1 -> /dev/pts/9 lr-x------ 1 nobody nogroup 64 Dec 7 00:27 10 -> /localvol/root/.XCompose lrwx------ 1 nobody nogroup 64 Dec 7 00:27 2 -> /dev/pts/9 lr-x------ 1 nobody nogroup 64 Dec 7 00:27 3 -> /proc/6012/fd lr-x------ 1 nobody nogroup 64 Dec 7 00:27 5 -> /localvol/root/.XCompose It is very likely that many programs that change the uid will not care for the extra fd, as it should not be there in the first place. The file is fortunately only opened read-only, and the contents of .XCompose files are usually not very private. The actual contents of the .XCompose file do not matter, as long as it exists, libx11 (likely the code in modules/im/ximcp/imLcIm.c) leaks the fd. -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.6 Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages libx11-6 depends on: hi libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libx11-data 2:1.0.3-2 X11 client-side library ii libxau6 1:1.0.1-2 X11 authorisation library ii libxdmcp6 1:1.0.1-2 X11 Display Manager Control Protoc ii x11-common 1:7.1.0-6 X Window System (X.Org) infrastruc libx11-6 recommends no packages. -- debconf information: libx11-6/migrate_xkb_dir: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
