839872 – (CVE-2013-4331) VUL-0: CVE-2013-4331: lightdm: incorrect .Xauthority permissions

Bug 839872 (CVE-2013-4331) - VUL-0: CVE-2013-4331: lightdm: incorrect .Xauthority permissions

Summary: VUL-0: CVE-2013-4331: lightdm: incorrect .Xauthority permissions

Status:	RESOLVED INVALID

Alias:	CVE-2013-4331

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Forgotten User cAXlJ_FoSf
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-12 08:54 UTC by Alexander Bergmann
Modified:	2015-03-30 14:57 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-09-12 08:54:34 UTC

Public via oss-security.

Date: Wed, 11 Sep 2013 09:05:07 -0400
From: Marc Deslauriers
Subject: [oss-security] CVE Request: lightdm incorrect .Xauthority permissions

lightdm before 1.4.3, 1.6.2 and 1.7.14 created .Xauthority files with
world-readable permissions.

Fixed by the following commits:

1.4.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1571
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1576
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.4/revision/1577

1.6.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1641
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1652
http://bazaar.launchpad.net/~lightdm-team/lightdm/1.6/revision/1653

1.7.x:
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1675
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1780
http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1781

Bug reports:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1175023
https://bugs.launchpad.net/lightdm/+bug/685212
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721744

---------------------

CVE-2013-4331 was assigned to this issue.

Comment 1 Alexander Bergmann 2013-09-12 08:57:19 UTC

Only openSUSE is affected. Now sure about lightdm-1.2.2.

openSUSE:12.2   lightdm-1.2.2
openSUSE:12.3   lightdm-1.4.0

Comment 2 Forgotten User cAXlJ_FoSf 2013-09-12 09:49:57 UTC

Have you looked into this? I've checked this superficially yesterday and I am not sure yet whether this actually affects openSUSE. At least in the default configuration with user-authority-in-system-dir=true xauthority files are created in the /run/<username> and /var/run/<username> directories which have 700 permissions and are owned by the respective user. The actual xauthority files are also created with 700 permissions. I suppose a strict umask is in effect on openSUSE, but I'll need to investigate further later, particularly with user-authority-in-system-dir=false.

Comment 3 Swamp Workflow Management 2013-09-12 22:00:27 UTC

bugbot adjusting priority

Comment 4 Forgotten User cAXlJ_FoSf 2013-09-12 22:04:45 UTC

Just tested user-authority-in-system-dir=false and it creates ~/.Xauthority
with 600 permissions as well, so I cannot reproduce this on openSUSE 12.2 or
12.3, but I'm also not sure where the strict 077 umask would be coming from.

The code in xauth_write() in lightdm-1.2.2 is the same as 1.4.0, i.e. using a
simple 'fopen (filename, "w")'.

Comment 5 Johannes Segitz 2015-03-30 14:57:02 UTC

so even if this was a problem, current versions of openSUSE aren't affected