Subject: xsrc/32804: minor security glitch in Xsession (xorg and xsrc)
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 02/12/2006 14:05:00
>Number:         32804
>Category:       xsrc
>Synopsis:       there's a race condition setting log file permissions in Xsession
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 12 14:05:00 +0000 2006
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.15
System: NetBSD 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 i386
Architecture: i386
Machine: i386
	Near the start of Xsession -- both the pkgsrc and xsrc versions --
	there is the following code:

		if ( cp /dev/null "$errfile" 2> /dev/null )
			chmod 600 "$errfile"

	an attacker who got in at just the right time could open the file
	for read before the chmod.
	See above
	Delete the chmod and change the first line to

		if (umask 077 && cp /dev/null "$errfile" 2> /dev/null )