Fwd: The importance of mutual authentication: Local Privilege Escalation in X11
Demi M. Obenour
demiobenour at gmail.com
Wed Nov 18 19:29:06 UTC 2020
On 11/16/20 1:30 AM, Keith Packard wrote:
> Alan Coopersmith <alan.coopersmith at oracle.com> writes:
>
>> Since this is now public, we can open up the discussion of how to fix it in
>> public as well, and hope we can make more progress than the security list
>> did during the embargo phase.
>
> I've got a proposed fix for this issue in two merge requests, one for
> xcb and the other for the X server:
>
> https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10
>
> https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546
>
> These two changes enables code used on Mac OS X for all other platforms.
> This code allows the X listen socket to be placed anywhere in the file
> system. Systems which currently place that in /tmp are vulnerable to the
> bug reported above. Placing this listen socket in a protected location
> should prevent un-privileged applications from spoofing the X server for
> the user.
>
> Patches for ssh will be needed to close the security issue when
> forwarding X connections through that.
Do those MRs also prevent clients and servers from using abstract
sockets? Those are inherently insecure, so support for them should
probably just be removed. Additionally, will libX11 also be updated?
Sincerely,
Demi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 3986 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20201118/e933b0ac/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.x.org/archives/xorg-devel/attachments/20201118/e933b0ac/attachment.sig>
More information about the xorg-devel
mailing list