From 513d13accd7925f6c94ffe2003c15ee5bbc5e9d1 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Wed, 15 Aug 2007 19:13:41 +1000
Subject:    - markus@cvs.openbsd.org 2007/08/15 08:14:46      [clientloop.c]  
    do NOT fall back to the trused x11 cookie if generation of an untrusted   
   cookie fails; from security-alert at sun.com; ok dtucker

---
 ChangeLog    |  9 ++++++++-
 clientloop.c | 38 ++++++++++++++++++++++++--------------
 2 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8a602213..62fd4d68 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20070815
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2007/08/15 08:14:46
+     [clientloop.c]
+     do NOT fall back to the trused x11 cookie if generation of an untrusted
+     cookie fails; from security-alert at sun.com; ok dtucker
+
 20070813
  - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
    called with PAM_ESTABLISH_CRED at least once, which resolves a problem
@@ -3152,4 +3159,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4725 2007/08/13 13:11:56 dtucker Exp $
+$Id: ChangeLog,v 1.4726 2007/08/15 09:13:41 dtucker Exp $
diff --git a/clientloop.c b/clientloop.c
index 538644c2..b57fda04 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.180 2007/08/07 07:32:53 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -290,19 +290,29 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 					generated = 1;
 			}
 		}
-		snprintf(cmd, sizeof(cmd),
-		    "%s %s%s list %s 2>" _PATH_DEVNULL,
-		    xauth_path,
-		    generated ? "-f " : "" ,
-		    generated ? xauthfile : "",
-		    display);
-		debug2("x11_get_proto: %s", cmd);
-		f = popen(cmd, "r");
-		if (f && fgets(line, sizeof(line), f) &&
-		    sscanf(line, "%*s %511s %511s", proto, data) == 2)
-			got_data = 1;
-		if (f)
-			pclose(f);
+
+		/*
+		 * When in untrusted mode, we read the cookie only if it was
+		 * successfully generated as an untrusted one in the step
+		 * above.
+		 */
+		if (trusted || generated) {
+			snprintf(cmd, sizeof(cmd),
+			    "%s %s%s list %s 2>" _PATH_DEVNULL,
+			    xauth_path,
+			    generated ? "-f " : "" ,
+			    generated ? xauthfile : "",
+			    display);
+			debug2("x11_get_proto: %s", cmd);
+			f = popen(cmd, "r");
+			if (f && fgets(line, sizeof(line), f) &&
+			    sscanf(line, "%*s %511s %511s", proto, data) == 2)
+				got_data = 1;
+			if (f)
+				pclose(f);
+		} else
+			error("Warning: untrusted X11 forwarding setup failed: "
+			    "xauth key data not generated");
 	}
 
 	if (do_unlink) {
-- 
cgit v1.2.3