File X11-forwarding-avoid-unsafe-use-of-magic-cookie_CVE-2020-27746.patch of Package slurm.25998
From 07309deb45c33e735e191faf9dd31cca1054a15c Mon Sep 17 00:00:00 2001
From: Tim Wickberg <tim@schedmd.com>
Date: Thu, 12 Nov 2020 08:49:02 -0800
Subject: X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command.
Magic cookie can leak through /proc this way. There is a race here between
this usually short-lived xauth command running and an attacker scraping
the value from /proc. This can be exacerbated through use of
X11Parameters=home_xauthority on a cluster with a shared home directory
under heavy load.
CVE-2020-27746.
Note from Ana Guerrero <aguerrero@suse.com>
The patch got a light modification from the git commit, given that in
slurm 18.08 the run_command had an argument less. This doesn't affect
the security fix.
---
diff --git a/src/common/x11_util.c b/src/common/x11_util.c
index d7f2457748..275f222945 100644
--- a/src/common/x11_util.c
+++ b/src/common/x11_util.c
@@ -185,27 +185,44 @@
int i=0, status;
char *result;
char **xauth_argv;
+ char template[] = "/tmp/xauth-source-XXXXXX";
+ char *contents = NULL;
+ int fd;
+
+ /* protect against weak file permissions in old glibc */
+ umask(0077);
+ if ((fd = mkstemp(template)) < 0)
+ fatal("%s: could not create temp file", __func__);
+
+ xstrfmtcat(contents, "add %s/unix:%u MIT-MAGIC-COOKIE-1 %s\n",
+ host, display, cookie);
+ safe_write(fd, contents, strlen(contents));
+ xfree(contents);
+ close(fd);
xauth_argv = xmalloc(sizeof(char *) * 10);
- xauth_argv[i++] = xstrdup("xauth");
- xauth_argv[i++] = xstrdup("-v");
- xauth_argv[i++] = xstrdup("-f");
- xauth_argv[i++] = xstrdup(xauthority);
- xauth_argv[i++] = xstrdup("add");
- xauth_argv[i++] = xstrdup_printf("%s/unix:%u", host, display);
- xauth_argv[i++] = xstrdup("MIT-MAGIC-COOKIE-1");
- xauth_argv[i++] = xstrdup(cookie);
+ xauth_argv[i++] = "xauth";
+ xauth_argv[i++] = "-v";
+ xauth_argv[i++] = "-f";
+ xauth_argv[i++] = xauthority;
+ xauth_argv[i++] = "source";
+ xauth_argv[i++] = template;
xauth_argv[i++] = NULL;
xassert(i < 10);
result = run_command("xauth", XAUTH_PATH, xauth_argv, 10000, &status);
- free_command_argv(xauth_argv);
+ (void) unlink(template);
+ xfree(xauth_argv);
debug2("%s: result from xauth: %s", __func__, result);
xfree(result);
return status;
+
+rwfail:
+ fatal("%s: could not write temporary xauth file", __func__);
+ return SLURM_ERROR;
}
extern int x11_delete_xauth(char *xauthority, char *host, uint16_t display)
