[ANNOUNCE] X.Org security advisory: root hole via rogue hostname

Matthias Hopf mhopf at suse.de
Tue Apr 5 09:53:26 PDT 2011

X.Org security advisory, April 5th, 2011
root hole via rogue hostname
CVE ID: CVE-2011-0465


By crafting hostnames with shell escape characters, arbitrary commands
can be executed in a root environment when a display manager reads in
the resource database via xrdb.

These specially crafted hostnames can occur in two environments:

  * Hosts that set their hostname via DHCP
  * Hosts that allow remote logins via xdmcp


Arbitrary (short) commands can be executed as root on affected hosts.
With some display managers a working login is required (resource
database is read upon login), with others no working login is required
(resource database is read upon display manager start as well).

Only systems are affected that

 1) set their hostname via DHCP, and the used DHCP client allows setting
    of hostnames with illegal characters

 2) allow remote logins via xdmcp

1) requires either physical access to the network, or administrative
   access to the running DHCP server.
2) does not require physical access, if a regular account on a machine
   accepted by xdmcp is available, but describes a case that is
   considered insecure nowadays.

Affected versions

xrdb up to including 1.0.8
X11R7.6 (latest release) includes xrdb 1.0.7


This issue has been fixed with git commit


A fix of this vulnerability is included in xrdb 1.0.9.

This issue was found by Sebastian Krahmer from the SUSE security team.


Matthias Hopf <mhopf at suse.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/xorg-announce/attachments/20110405/62b59be4/attachment.pgp>

More information about the xorg-announce mailing list