X.Org security advisory: xserver locking code issues
matthieu.herrb at laas.fr
Tue Oct 18 07:50:21 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
X.Org security advisory, October 18, 2011
xserver locking vulnerabilities
CVE IDs: CVE-2011-4028 CVE-2011-4029
Two vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
o CVE-2011-4028 : File disclosure vulnerability:
It is possible to deduce if a file exists or not by exploiting the
way that Xorg creates its lock files.
This is caused by the fact that the X server is behaving differently
if the lock file already exists as a symbolic link pointing to an
existing or non-existing file.
o CVE-2011-4029 : File permission change vulnerability:
It is possible for a non-root user to set the permissions for
all users on any file or directory to 444, giving unwanted read
access or causing denies of service (by removing execute permission).
This is caused by a race between creating the lock file and setting
its access modes.
All X.Org Xserver versions are vulnerable to CVE-2011-4028 when
running with root privileges.
X.Org Xserver version 1.4 and later are vulnerable to CVE-2011-4029
when running with root privileges.
Removing the setuid bit on the Xorg binary (and using a display
manager to start it with controlled parameters) makes the issues
harder to exploit, but not impossible.
Those issues have been fixed by the following two git commits:
A fix of this vulnerability will be included in xserver 1.11.2 and
The X.Org Foundation thanks vladz (http://vladz.devzero.fr) for
bringing this issue to our attention and helping testing the fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the xorg