Bug 8699 - input method module leaks fd
Summary: input method module leaks fd
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: git
Hardware: All All
: high normal
Assignee: Xorg Project Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: xorg-7.2
  Show dependency treegraph
 
Reported: 2006-10-18 09:54 UTC by Kees Cook
Modified: 2006-12-06 06:41 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
kill double open (414 bytes, patch)
2006-10-18 09:55 UTC, Kees Cook
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Kees Cook 2006-10-18 09:54:38 UTC
The Xinput module leaks a fd, which is optionally read from the XCOMPOSEFILE env
variable.  At least with xterm this open happens with elevated privs.

See line 620:
http://gitweb.freedesktop.org/?p=xorg/lib/libX11.git;a=blob;hb=abda4d223e9cce9ac6e7b5d82a5680d9a502e52a;f=modules/im/ximcp/imLcIm.c
Comment 1 Kees Cook 2006-10-18 09:55:19 UTC
Created attachment 7459 [details] [review]
kill double open
Comment 2 Matthias Hopf 2006-10-19 02:39:52 UTC
Fixed with git commit 686bb8b35acf6cecae80fe89b2b5853f5816ce19.

Should this be fixed in 7.1 as well, or in the stable branch of libX11? Or just
a new release of libX11?

So far xterm seems to be the only problematic app (setgid), but with its normal
gid no security relevant files can be accessed.
Comment 3 Matthieu Herrb 2006-10-30 13:31:48 UTC
I have the impression that the vulnerable code was added after 7.1, in a commit
from June 13. 
Only libX11 1.0.2 and 1.0.3 are vulnerable. So I guess the upcoming 1.1 release
is enough.
Comment 4 Matthieu Herrb 2006-10-30 13:32:56 UTC
BTW, this has been assigned CVE-2006-5397 by mitre.
Comment 5 Daniel Stone 2006-12-06 06:41:08 UTC
marking as fixed, as we're shipping 1.1 with 7.2


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.