[Pkg-fglrx-devel] Bug#625868: Bug#625868: auth event shows secret xauth cookie on command line

Vincent Zweije vincent at zweije.nl
Mon Jul 4 13:23:37 UTC 2011 

On Wed, May 11, 2011 at 07:29:25PM +0200, Patrick Matth?i wrote:

||  It looks like those issue were introduced by Debian years ago with the
||  patch 03-authatieventsd.sh.diff and I can't say for what it is realy
||  there (it already was available @ fglrx, where I was not the maintainer).
||  Could you please deapply it and look if everything is right?

Finally got around to looking at it.

Patch 03-* did not introduce the bad code, it just modified it. It
contains the following part:

    -        if [ -n "$DISP_AUTH_KEY" ]; then
    -            xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1
    -        else
    -            exit -1

Which means the original code already passes $DISP_AUTH_KEY on the
command line.

Indeed, upstream source contains this snippet:

        DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'`
        if [ -n "$DISP_AUTH_KEY" ]; then
            xauth -f $3 add $2 . $DISP_AUTH_KEY || exit -1
        else
            exit -1
        fi

which should probably be something like:

        DISP_AUTH_KEY=`xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | awk '{ print $3 }'`
        if [ -n "$DISP_AUTH_KEY" ]; then
            echo "$2 . $DISP_AUTH_KEY" | xauth -f $3 merge - || exit -1
        else
            exit -1
        fi

under the assumption that echo runs as a shell builtin, so does not use
execve, so its command line arguments cannot be snarfed from outside.

However, better would be to put everything inside the pipeline and
never read the cookie into a variable at all, saving an if as well
(completely untested):

        xauth -f $SERVER_AUTH_FILE list | grep $DISP_SEARCH_STRING | \
            awk '{printf "%s %s %s\n","'$2'",$2,$3}' | xauth -f $3 merge -
        exit -1

You'll have to merge this with patch 03-*.

Ciao.                                                        Vincent.
-- 
Vincent Zweije <vincent at zweije.nl>   | "If you're flamed in a group you
<http://www.xs4all.nl/~zweije/>      | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] |            -- Paul Tomblin on a.s.r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-fglrx-devel/attachments/20110704/6d4745fa/attachment.pgp>

More information about the Pkg-fglrx-devel mailing list