Secure testing team - May 2009 - Bug#526678: Passes magic cookie insecurity

Package: xvfb
Version: 2:1.6.1-1
Severity: normal
File: /usr/bin/xvfb-run
Tags: security

        Hi

 xvfb-run does:

# Start Xvfb.
MCOOKIE=$(mcookie)
XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO"
"$MCOOKIE" \
  >"$ERRORFILE" 2>&1

 which is insecure as the MCOOKIE value can be seen for a split second
 in the list of processes.

 I think "xauth source -" or a similar construct should be used.

   Bye

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xvfb depends on:
ii  libaudit0    1.7.13-1                    Dynamic library for security audit
ii  libc6        2.9-9                       GNU C Library: Shared libraries
ii  libdbus-1-3  1.2.12-1                    simple interprocess messaging syst
ii  libfontenc1  1:1.0.4-3                   X11 font encoding library
ii  libgcrypt11  1.4.4-2                     LGPL Crypto library - runtime libr
ii  libhal1      0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii  libpixman-1- 0.14.0-1                    pixel-manipulation library for X a
ii  libselinux1  2.0.71-1                    SELinux shared libraries
ii  libxau6      1:1.0.4-2                   X11 authorisation library
ii  libxdmcp6    1:1.0.2-3                   X11 Display Manager Control Protoc
ii  libxfont1    1:1.4.0-1                   X11 font rasterisation library
ii  xserver-comm 2:1.6.1-1                   common files used by various X ser

Versions of packages xvfb recommends:
ii  xauth                         1:1.0.3-2  X authentication utility
ii  xfonts-base                   1:1.0.0-6  standard fonts for X

xvfb suggests no packages.

-- no debconf information

-- 
Lo?c Minier