File X11-forwarding-avoid-unsafe-use-of-magic-cookie... of Package slurm.25998

Overview Repositories Revisions Requests Users Attributes Meta

File X11-forwarding-avoid-unsafe-use-of-magic-cookie_CVE-2020-27746.patch of Package slurm.25998

From 07309deb45c33e735e191faf9dd31cca1054a15c Mon Sep 17 00:00:00 2001
From: Tim Wickberg <tim@schedmd.com>
Date: Thu, 12 Nov 2020 08:49:02 -0800
Subject: X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.

Magic cookie can leak through /proc this way. There is a race here between
this usually short-lived xauth command running and an attacker scraping
the value from /proc. This can be exacerbated through use of
X11Parameters=home_xauthority on a cluster with a shared home directory
under heavy load.

CVE-2020-27746.

Note from Ana Guerrero <aguerrero@suse.com>
The patch got a light modification from the git commit, given that in
slurm 18.08 the run_command had an argument less. This doesn't affect
the security fix.
---
diff --git a/src/common/x11_util.c b/src/common/x11_util.c
index d7f2457748..275f222945 100644
--- a/src/common/x11_util.c
+++ b/src/common/x11_util.c
@@ -185,27 +185,44 @@
 	int i=0, status;
 	char *result;
 	char **xauth_argv;
+	char template[] = "/tmp/xauth-source-XXXXXX";
+	char *contents = NULL;
+	int fd;
+
+	/* protect against weak file permissions in old glibc */
+	umask(0077);
+	if ((fd = mkstemp(template)) < 0)
+		fatal("%s: could not create temp file", __func__);
+
+	xstrfmtcat(contents, "add %s/unix:%u MIT-MAGIC-COOKIE-1 %s\n",
+		   host, display, cookie);
+	safe_write(fd, contents, strlen(contents));
+	xfree(contents);
+	close(fd);
 
 	xauth_argv = xmalloc(sizeof(char *) * 10);
-	xauth_argv[i++] = xstrdup("xauth");
-	xauth_argv[i++] = xstrdup("-v");
-	xauth_argv[i++] = xstrdup("-f");
-	xauth_argv[i++] = xstrdup(xauthority);
-	xauth_argv[i++] = xstrdup("add");
-	xauth_argv[i++] = xstrdup_printf("%s/unix:%u", host, display);
-	xauth_argv[i++] = xstrdup("MIT-MAGIC-COOKIE-1");
-	xauth_argv[i++] = xstrdup(cookie);
+	xauth_argv[i++] = "xauth";
+	xauth_argv[i++] = "-v";
+	xauth_argv[i++] = "-f";
+	xauth_argv[i++] = xauthority;
+	xauth_argv[i++] = "source";
+	xauth_argv[i++] = template;
 	xauth_argv[i++] = NULL;
 	xassert(i < 10);
 
 	result = run_command("xauth", XAUTH_PATH, xauth_argv, 10000, &status);
 
-	free_command_argv(xauth_argv);
+	(void) unlink(template);
+	xfree(xauth_argv);
 
 	debug2("%s: result from xauth: %s", __func__, result);
 	xfree(result);
 
 	return status;
+
+rwfail:
+	fatal("%s: could not write temporary xauth file", __func__);
+	return SLURM_ERROR;
 }
 
 extern int x11_delete_xauth(char *xauthority, char *host, uint16_t display)

Places

File X11-forwarding-avoid-unsafe-use-of-magic-cookie_CVE-2020-27746.patch of Package slurm.25998

Places