diff options
| author | Julien Cristau <jcristau@debian.org> | 2009-05-14 21:08:21 +0200 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2009-05-14 21:08:21 +0200 |
| commit | ecf09e571198ee16256a5efd1c23fd286a4f2249 (patch) | |
| tree | a3645b62e856626110f45860f1749925dc0c4429 /debian/local/xvfb-run | |
| parent | cbccf51785b500f51dc974ed05f5512181d4c51f (diff) | |
xvfb-run: don't pass the magic cookie to xauth on the command line
Use xauth source to pass the cookie via stdin.
This addresses CVE-2009-1573. Thanks, Loïc Minier!
Diffstat (limited to 'debian/local/xvfb-run')
| -rw-r--r-- | debian/local/xvfb-run | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run index c85f86af9..b11130a32 100644 --- a/debian/local/xvfb-run +++ b/debian/local/xvfb-run @@ -157,8 +157,9 @@ fi # Start Xvfb. MCOOKIE=$(mcookie) -XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \ - >>"$ERRORFILE" 2>&1 +XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1 +add :$SERVERNUM $XAUTHPROTO $MCOOKIE +EOF XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \ 2>&1 & XVFBPID=$! |