Light Display Manager

lightdm leaks FDs to child processes

Bug #927060 reported by Yves-Alexis Perez on 2012-02-05

266

This bug affects 1 person

	Status	Importance	Assigned to
Light Display Manager	Fix Released	High	Robert Ancell
lightdm (Debian)	Fix Released	Unknown	debbugs #658678
lightdm (Ubuntu)	Fix Released	High	Robert Ancell
Oneiric	Fix Released	High	Marc Deslauriers
Precise	Fix Released	High	Robert Ancell

Bug Description

affects lightdm
affects debian
security yes
summary "lightdm leaks FDs to child processes"
done

tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
>
> Dear Maintainer,
>
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
>
> For example, running ls -l /proc/self/fd from a terminal in X yields
>
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6
> -> /var/log/lightdm/lightdm.log
>
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
>
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:[eventfd]
> lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 6
> -> /var/log/lightdm/lightdm.log
> lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:[eventfd]
> lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:[eventfd]
>
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
>
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment.

Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.

I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.

Regards,
--
Yves-Alexis

Tags:

Related branches

lp:ubuntu/oneiric-security/lightdm

lp:ubuntu/oneiric-updates/lightdm

lp:ubuntu/precise/lightdm

Yves-Alexis Perez (corsac) on 2012-02-06

affects:	debian → lightdm (Debian)
Changed in lightdm (Debian):
importance:	Undecided → Unknown
status:	New → Unknown

Robert Ancell (robert-ancell) on 2012-02-06

Changed in lightdm:
status:	New → Triaged
importance:	Undecided → High

Bug Watch Updater (bug-watch-updater) on 2012-02-06

Changed in lightdm (Debian):
status:	Unknown → Confirmed

Revision history for this message

Yves-Alexis Perez (corsac) wrote on 2012-02-10:

Any news on this?

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-02-15:

No change yet...

Robert Ancell (robert-ancell) on 2012-03-02

Changed in lightdm:
assignee:	nobody → Robert Ancell (robert-ancell)
status:	Triaged → In Progress
Changed in lightdm (Ubuntu):
status:	New → In Progress
importance:	Undecided → High

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-03-02:

Fix for lightdm-1.0 branch. Edit (6.7 KiB, text/plain)

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-03-02:

Fix for lightdm trunk. Edit (12.0 KiB, text/plain)

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-03-02:

I've identified and fixed the leaks for both the trunk and 1.0. These patches are not pushed anywhere except this bug and when committed will be immediately released in lightdm 1.0.8 and 1.1.4. Both patches contain regression tests to check no unknown file descriptors are passed to a session after a login.

The leaking file descriptors (7) were:
- The lightdm daemon log (write)
- The signal pipe used in the daemon to send signal notifications into the GLib main loop (read/write) - could potentially stop the daemon by simulating a SIGTERM.
- Two pipes used by the greeter to communicate with the daemon (both read/write). This pipe should be unused by this point (it would have been used to negotiate the session) but I haven't investigated if you could do any damage with it at this point.

These patches also need to be updated to check what happens when an XDMCP/VNC server is running as those fds might also leak.

I'm asking the Canonical security team to help with the timing of these releases; Yves-Alexis, Guido, let me know what you guys need there too.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-03-02:

lightdm-trunk-bug-927060-dont-leak-fds.patch Edit (16.7 KiB, text/plain)

Updated patch with regression tests that confirm XDMCP and VNC sessions don't have the socket file descriptors leaked to them.

Revision history for this message

Yves-Alexis Perez (corsac) wrote on 2012-03-02:

I'm ok for a release (as it's not in stable it's ok to push a new upstream release), I can upload a 1.0.8 to Debian today.

Revision history for this message

Guido Berhoerster (gber) wrote on 2012-03-02:

That'd be ok from my side as well, if you plan to delay the release please let me know the date.

Revision history for this message

Yves-Alexis Perez (corsac) wrote on 2012-03-03:

Any news for a release? (I can prepare packages with patches since the bug is public anyway, but if you prefer coordinated release it'd be nice to do it faster than slower :)

Revision history for this message

Yves-Alexis Perez (corsac) wrote on 2012-03-04:

#10

Ping?

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2012-03-05:

#11

OK, security team says good to go. I've pushed these changes the the lightdm bzr branches and you guys can release whenever you like.

Marc Deslauriers (mdeslaur) on 2012-03-05

Changed in lightdm (Ubuntu Precise):
assignee:	nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Oneiric):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
importance:	Undecided → High

Robert Ancell (robert-ancell) on 2012-03-05

Changed in lightdm:
status:	In Progress → Fix Released

Revision history for this message

Guido Berhoerster (gber) wrote on 2012-03-05:

#12

Could you make this bug publicly accessible and obtain a CVE for it?

Revision history for this message

Martin Pitt (pitti) wrote on 2012-03-05:

#13

The Debian bug is public, so I see little reason to keep this private. Making public.

visibility:

private → public

Ubuntu Foundations Team Bug Bot (crichton) on 2012-03-05

tags:

added: patch

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-03-05:

#14

CVE requested: http://www.openwall.com/lists/oss-security/2012/03/05/13

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-03-05:

#15

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.4

---------------
lightdm (1.0.6-0ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: file descriptor leak to child processes (LP: #927060)
    - debian/patches/12_dont-leak-fds.patch: clean up file descriptors in
      src/*.c, add tests to tests/*.
    - CVE number pending
-- Marc Deslauriers <email address hidden> Sun, 04 Mar 2012 19:29:04 -0500

Changed in lightdm (Ubuntu Oneiric):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-03-06:

#16

This bug was fixed in the package lightdm - 1.1.6-0ubuntu1

---------------
lightdm (1.1.6-0ubuntu1) precise; urgency=low

* Upload the new version to Ubuntu
* Reshuffle a bit the vcs to use merge upstream correctly

  [ Robert Ancell ]
  * New upstream release:
    - Fix session wrapper working the same as it did in 1.1.3 (lp: #944736)
    - Stop file descriptors leaking into the session processes (lp: #927060)

[ Martin Pitt ]
* debian/control: Fix liblightdm-gobject-1-doc architecture to "all".
-- Sebastien Bacher <email address hidden> Tue, 06 Mar 2012 13:45:29 +0100

Changed in lightdm (Ubuntu Precise):
status:	In Progress → Fix Released

Bug Watch Updater (bug-watch-updater) on 2012-03-12

Changed in lightdm (Debian):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #658678
[done normal security] Edit

Bug watches keep track of this bug in other bug trackers.