Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Nov 2020 11:36:13 +0100
From: Matthias Gerstner <>
Subject: sddm: CVE-2020-28049: local privilege escalation due to race
 condition in creation of the Xauthority file

Hello list,

a local privilege escalation has been discovered in the sddm display
manager [1].

sddm passes the -auth and -displayfd command line arguments when
starting the Xserver. It then waits for the display number to be
received from the Xserver via the `displayfd`, before the Xauthority
file specified via the `-auth` parameter is actually written. This
results in a race condition, creating a time window in which no valid
Xauthority file is existing while the Xserver is already running.

The X.Org server, when encountering a non-existing, empty or
corrupt/incomplete Xauthority file, will grant any connecting client
access to the Xorg display [2]. A local unprivileged attacker can thus
create an unauthorized connection to the Xserver and grab e.g. keyboard
input events from other legitimate users accessing the Xserver.

A simple reproducer works like this:

# run this from an unpriliged account before sddm is started to exploit
# the race condition and kill the X server
inotifywait /tmp/.X11-unix; while ! xkill; do :; done

The security issue was discovered by our SUSE sddm package maintainer
Fabian Vogt. The issue is included in sddm since version 0.12.0 and
was recently fixed in a new upstream release 0.19.0. The upstream commit
fixing this issue is found in [3]. The SUSE bugzilla bug tracking this
issue is found in [4].




Matthias Gerstner <>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.