[Spice-devel] [PATCH spice] spicec-x11: Change source of controller socket name, fixing CVE-2010-2792

Arnon Gilboa agilboa at redhat.com
Thu Oct 21 00:36:52 PDT 2010


ACK !

Hans de Goede wrote:
> The socket name used to communicate between the xpi browser plugin and the
> spicec was predictable allowing a non priviliged user on the same system
> to create the socket before spicec does and thus intercept the messages from
> the xpi to the client, including login credentials. This security vulnerability
> has been registred with mitre as CVE-2010-2792:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2792
>
> This patch changes the controller code to instead read the socket name
> from an environment variable which gets set by the xpi before executing
> the spicec, making the socketname private between the client and the xpi.
>
> Note that this means that the controller will only work with an xpi which
> has matching changes, the changes are present in the latest version of the
> xpi as available as update for / with RHEL-5.5 and RHEL-6.0 .
> ---
>  client/controller.cpp |   12 ++++++++----
>  1 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/client/controller.cpp b/client/controller.cpp
> index b5bc0ba..6d1272c 100644
> --- a/client/controller.cpp
> +++ b/client/controller.cpp
> @@ -28,10 +28,6 @@
>  
>  #ifdef WIN32
>  #define PIPE_NAME "SpiceController-%lu"
> -#elif defined(__i386__)
> -#define PIPE_NAME "/tmp/SpiceController-%llu.uds"
> -#else
> -#define PIPE_NAME "/tmp/SpiceController-%lu.uds"
>  #endif
>  
>  Controller::Controller(ControllerInterface *handler)
> @@ -42,7 +38,15 @@ Controller::Controller(ControllerInterface *handler)
>      char pipe_name[PIPE_NAME_MAX_LEN];
>  
>      ASSERT(_handler);
> +#ifdef WIN32
>      snprintf(pipe_name, PIPE_NAME_MAX_LEN, PIPE_NAME, Platform::get_process_id());
> +#else
> +    char *p_socket = getenv("SPICE_XPI_SOCKET");
> +    if (!p_socket) {
> +        LOG_ERROR("Failed to get a controller connection (SPICE_XPI_SOCKET)");
> +    }
> +    strncpy(pipe_name, p_socket, sizeof(pipe_name));
> +#endif
>      LOG_INFO("Creating a controller connection %s", pipe_name);
>      _pipe = NamedPipe::create(pipe_name, *this);
>      if (!_pipe) {
>   



More information about the Spice-devel mailing list