Bug 8699

Summary: input method module leaks fd
Product: xorg Reporter: Kees Cook <kees>
Component: Lib/XlibAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: goeran
Version: git   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 6666    
Attachments:
Description Flags
kill double open none

Description Kees Cook 2006-10-18 09:54:38 UTC 
The Xinput module leaks a fd, which is optionally read from the XCOMPOSEFILE env
variable.  At least with xterm this open happens with elevated privs.

See line 620:
http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=blob;hb=abda4d223e9cce9ac6e7b5d82a5680d9a502e52a;f=modules/im/ximcp/imLcIm.c
Comment 1 Kees Cook 2006-10-18 09:55:19 UTC 
Created attachment 7459 [details] [review]
kill double open
Comment 2 Matthias Hopf 2006-10-19 02:39:52 UTC 
Fixed with git commit 686bb8b35acf6cecae80fe89b2b5853f5816ce19.

Should this be fixed in 7.1 as well, or in the stable branch of libX11? Or just
a new release of libX11?

So far xterm seems to be the only problematic app (setgid), but with its normal
gid no security relevant files can be accessed.
Comment 3 Matthieu Herrb 2006-10-30 13:31:48 UTC 
I have the impression that the vulnerable code was added after 7.1, in a commit
from June 13. 
Only libX11 1.0.2 and 1.0.3 are vulnerable. So I guess the upcoming 1.1 release
is enough.
Comment 4 Matthieu Herrb 2006-10-30 13:32:56 UTC 
BTW, this has been assigned CVE-2006-5397 by mitre.
Comment 5 Daniel Stone 2006-12-06 06:41:08 UTC 
marking as fixed, as we're shipping 1.1 with 7.2

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.