Fwd: The importance of mutual authentication: Local Privilege Escalation in X11
Keith Packard
keithp at keithp.com
Mon Nov 16 06:30:02 UTC 2020
Alan Coopersmith <alan.coopersmith at oracle.com> writes:
> Since this is now public, we can open up the discussion of how to fix it in
> public as well, and hope we can make more progress than the security list
> did during the embargo phase.
I've got a proposed fix for this issue in two merge requests, one for
xcb and the other for the X server:
https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546
These two changes enables code used on Mac OS X for all other platforms.
This code allows the X listen socket to be placed anywhere in the file
system. Systems which currently place that in /tmp are vulnerable to the
bug reported above. Placing this listen socket in a protected location
should prevent un-privileged applications from spoofing the X server for
the user.
Patches for ssh will be needed to close the security issue when
forwarding X connections through that.
--
-keith
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20201115/0efe3e16/attachment.sig>
More information about the xorg-devel
mailing list