From: Ross Burton <ross.burton@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH] xserver-xorg: fix CVE-2018-14665
Date: Thu, 1 Nov 2018 11:15:58 +0000 [thread overview]
Message-ID: <20181101111558.28523-1-ross.burton@intel.com> (raw)
Incorrect command-line parameter validation in the Xorg X server can lead to
privilege elevation and/or arbitrary files overwrite, when the X server is
running with elevated privileges (ie when Xorg is installed with the setuid bit
set and started by a non-root user). The -modulepath argument can be used to
specify an insecure path to modules that are going to be loaded in the X server,
allowing to execute unprivileged code in the privileged process. The -logfile
argument can be used to overwrite arbitrary files in the file system, due to
incorrect checks in the parsing of the option.
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
.../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 62 ++++++++++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.1.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
new file mode 100644
index 00000000000..7f6235b4326
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
@@ -0,0 +1,62 @@
+Incorrect command-line parameter validation in the Xorg X server can lead to
+privilege elevation and/or arbitrary files overwrite, when the X server is
+running with elevated privileges (ie when Xorg is installed with the setuid bit
+set and started by a non-root user). The -modulepath argument can be used to
+specify an insecure path to modules that are going to be loaded in the X server,
+allowing to execute unprivileged code in the privileged process. The -logfile
+argument can be used to overwrite arbitrary files in the file system, due to
+incorrect checks in the parsing of the option.
+
+CVE: CVE-2018-14665
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
+ privileges
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ hw/xfree86/common/xf86Init.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
+index 6c25eda73..0f57efa86 100644
+--- a/hw/xfree86/common/xf86Init.c
++++ b/hw/xfree86/common/xf86Init.c
+@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
+ /* First the options that are not allowed with elevated privileges */
+ if (!strcmp(argv[i], "-modulepath")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -modulepath "
++ "with elevated privileges\n");
+ xf86ModulePath = argv[i + 1];
+ xf86ModPathFrom = X_CMDLINE;
+ return 2;
+ }
+ if (!strcmp(argv[i], "-logfile")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -logfile "
++ "with elevated privileges\n");
+ xf86LogFile = argv[i + 1];
+ xf86LogFileFrom = X_CMDLINE;
+ return 2;
+--
+2.18.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
index cfdaf731758..9fd2e8d870b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
@@ -3,6 +3,7 @@ require xserver-xorg.inc
SRC_URI += "file://musl-arm-inb-outb.patch \
file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
file://pkgconfig.patch \
+ file://CVE-2018-14665.patch \
"
SRC_URI[md5sum] = "e525846d1d0af5732ba835f2e2ec066d"
SRC_URI[sha256sum] = "59c99fe86fe75b8164c6567bfc6e982aecc2e4a51e6fbac1b842d5d00549e918"
--
2.11.0
next reply other threads:[~2018-11-01 11:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 11:15 Ross Burton [this message]
2018-11-01 11:33 ` ✗ patchtest: failure for xserver-xorg: fix CVE-2018-14665 Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181101111558.28523-1-ross.burton@intel.com \
--to=ross.burton@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox