-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, October 18, 2011 xserver locking vulnerabilities CVE IDs: CVE-2011-4028 CVE-2011-4029 Description - ----------- Two vulnerabilities have been discovered in the code handling the X server lock, that forbids two X servers from serving the same display simultaneously. o CVE-2011-4028 : File disclosure vulnerability: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. This is caused by the fact that the X server is behaving differently if the lock file already exists as a symbolic link pointing to an existing or non-existing file. o CVE-2011-4029 : File permission change vulnerability: It is possible for a non-root user to set the permissions for all users on any file or directory to 444, giving unwanted read access or causing denies of service (by removing execute permission). This is caused by a race between creating the lock file and setting its access modes. Affected Versions - ----------------- All X.Org Xserver versions are vulnerable to CVE-2011-4028 when running with root privileges. X.Org Xserver version 1.4 and later are vulnerable to CVE-2011-4029 when running with root privileges. Workaround - ---------- Removing the setuid bit on the Xorg binary (and using a display manager to start it with controlled parameters) makes the issues harder to exploit, but not impossible. Fix - --- Those issues have been fixed by the following two git commits: CVE-2011-4028: 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34 CVE-2011-4029: b67581cf825940fdf52bf2e0af4330e695d724a4 http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4 A fix of this vulnerability will be included in xserver 1.11.2 and xserver 1.12. The X.Org Foundation thanks vladz (http://vladz.devzero.fr) for bringing this issue to our attention and helping testing the fixes. - -- Matthieu Herrb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTp2SLPee5zRnIoYlAQJRvQf8D1GyyOVHR1KBUUP7L2PiobbLRp1JXPar iOm24Uk+4vH6arnx1zdmsdCkLVmtJxi3Y6KYgv07NOQUstd1s5rifPiFxCek8T2b 5TNFo1EIxbESh6d29VNi6rkRigK6WVFQiqJj3MbYA4XBqoibi48FG5JQYrjVG6ki lPmX4pT2pOCYsSQGJPbRNr7Ra4GWj0lYX1ZC72aD1/kFn1I9t04QoPdW7YpG90eI s1VI8JpqdsRdyQ88AQTytLSKYAveEY5RuouOOe8KfIljtLW+elw5LzBZoE60WVB4 ltZElUNI8neEgeawHm5TnWhvq3ieU7LS5mMZqfDQaZfvc95dS4YdLA==LvrS -----END PGP SIGNATURE-----