Andreas Boll
2018-10-25 18:18:23 UTC
Andreas Boll pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits:
cfc3dec0 by Peter Hutterer at 2018-10-16T14:22:05Z
xfree86: fix readlink call
Misplaced parenthesis caused us to compare the sizeof, not the readlink return
value.
Signed-off-by: Peter Hutterer <***@who-t.net>
(cherry picked from commit bd5fe7593fd0df236f3b2be1f062166ddba7d67c)
- - - - -
8a59e3b7 by Matthieu Herrb at 2018-10-25T13:18:06Z
Disable -logfile and -modulepath when running with elevated privileges
Could cause privilege elevation and/or arbitrary files overwrite, when
the X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).
CVE-2018-14665
Issue reported by Narendra Shinde and Red Hat.
Signed-off-by: Matthieu Herrb <***@herrb.eu>
Reviewed-by: Alan Coopersmith <***@oracle.com>
Reviewed-by: Peter Hutterer <***@who-t.net>
Reviewed-by: Adam Jackson <***@redhat.com>
(cherry picked from commit 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e)
- - - - -
da15c741 by Matthieu Herrb at 2018-10-25T13:18:06Z
LogFilePrep: add a comment to the unsafe format string.
CVE-2018-14665 also made it possible to exploit this to access
memory. With -logfile forbidden when running with elevated privileges
this is no longer an issue.
Signed-off-by: Matthieu Herrb <***@herrb.eu>
Reviewed-by: Adam Jackson <***@redhat.com>
(cherry picked from commit 248d164eae27f1f310266d78e52f13f64362f81e)
- - - - -
971d4181 by Adam Jackson at 2018-10-25T13:18:06Z
xserver 1.20.3
Signed-off-by: Adam Jackson <***@redhat.com>
- - - - -
92afe8a7 by Andreas Boll at 2018-10-25T17:54:47Z
Merge tag 'xorg-server-1.20.3' into debian-unstable
xorg-server-1.20.3
- - - - -
2de2bf45 by Andreas Boll at 2018-10-25T17:55:21Z
Bump changelog
- - - - -
3ae799da by Andreas Boll at 2018-10-25T18:15:04Z
Document CVE-2018-14665
- - - - -
9cad8963 by Andreas Boll at 2018-10-25T18:15:29Z
Upload to unstable.
- - - - -
6 changed files:
- configure.ac
- debian/changelog
- hw/xfree86/common/xf86Init.c
- hw/xfree86/fbdevhw/fbdevhw.c
- meson.build
- os/log.c
Changes:
=====================================
configure.ac
=====================================
@@ -26,9 +26,9 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.20.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2018-10-15"
-RELEASE_NAME="Tofu Biryani"
+AC_INIT([xorg-server], 1.20.3, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2018-10-25"
+RELEASE_NAME="Harissa Roasted Carrots"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([foreign dist-bzip2])
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+xorg-server (2:1.20.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ - Disables -logfile and -modulepath when running with elevated
+ privileges (CVE-2018-14665).
+
+ -- Andreas Boll <***@debian.org> Thu, 25 Oct 2018 20:15:23 +0200
+
xorg-server (2:1.20.2-1) unstable; urgency=medium
* New upstream release.
=====================================
hw/xfree86/common/xf86Init.c
=====================================
@@ -1027,14 +1027,18 @@ ddxProcessArgument(int argc, char **argv, int i)
/* First the options that are not allowed with elevated privileges */
if (!strcmp(argv[i], "-modulepath")) {
CHECK_FOR_REQUIRED_ARGUMENT();
- xf86CheckPrivs(argv[i], argv[i + 1]);
+ if (xf86PrivsElevated())
+ FatalError("\nInvalid argument -modulepath "
+ "with elevated privileges\n");
xf86ModulePath = argv[i + 1];
xf86ModPathFrom = X_CMDLINE;
return 2;
}
if (!strcmp(argv[i], "-logfile")) {
CHECK_FOR_REQUIRED_ARGUMENT();
- xf86CheckPrivs(argv[i], argv[i + 1]);
+ if (xf86PrivsElevated())
+ FatalError("\nInvalid argument -logfile "
+ "with elevated privileges\n");
xf86LogFile = argv[i + 1];
xf86LogFileFrom = X_CMDLINE;
return 2;
=====================================
hw/xfree86/fbdevhw/fbdevhw.c
=====================================
@@ -336,7 +336,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
char *node = strrchr(dev, '/') + 1;
if (asprintf(&sysfs_path, "/sys/class/graphics/%s", node) < 0 ||
- readlink(sysfs_path, buf, sizeof(buf) < 0) ||
+ readlink(sysfs_path, buf, sizeof(buf)) < 0 ||
strstr(buf, "devices/pci")) {
free(sysfs_path);
close(fd);
=====================================
meson.build
=====================================
@@ -3,7 +3,7 @@ project('xserver', 'c',
'buildtype=debugoptimized',
'c_std=gnu99',
],
- version: '1.20.2',
+ version: '1.20.3',
meson_version: '>= 0.42.0',
)
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: 'c')
=====================================
os/log.c
=====================================
@@ -194,6 +194,8 @@ LogFilePrep(const char *fname, const char *backup, const char *idstring)
{
char *logFileName = NULL;
+ /* the format string below is controlled by the user,
+ this code should never be called with elevated privileges */
if (asprintf(&logFileName, fname, idstring) == -1)
FatalError("Cannot allocate space for the log file name\n");
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/9f6be25a5b6b1f10c471778115679432fe940c2d...9cad896318c78554d982f3d59f022c8ad87f7b61
Commits:
cfc3dec0 by Peter Hutterer at 2018-10-16T14:22:05Z
xfree86: fix readlink call
Misplaced parenthesis caused us to compare the sizeof, not the readlink return
value.
Signed-off-by: Peter Hutterer <***@who-t.net>
(cherry picked from commit bd5fe7593fd0df236f3b2be1f062166ddba7d67c)
- - - - -
8a59e3b7 by Matthieu Herrb at 2018-10-25T13:18:06Z
Disable -logfile and -modulepath when running with elevated privileges
Could cause privilege elevation and/or arbitrary files overwrite, when
the X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).
CVE-2018-14665
Issue reported by Narendra Shinde and Red Hat.
Signed-off-by: Matthieu Herrb <***@herrb.eu>
Reviewed-by: Alan Coopersmith <***@oracle.com>
Reviewed-by: Peter Hutterer <***@who-t.net>
Reviewed-by: Adam Jackson <***@redhat.com>
(cherry picked from commit 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e)
- - - - -
da15c741 by Matthieu Herrb at 2018-10-25T13:18:06Z
LogFilePrep: add a comment to the unsafe format string.
CVE-2018-14665 also made it possible to exploit this to access
memory. With -logfile forbidden when running with elevated privileges
this is no longer an issue.
Signed-off-by: Matthieu Herrb <***@herrb.eu>
Reviewed-by: Adam Jackson <***@redhat.com>
(cherry picked from commit 248d164eae27f1f310266d78e52f13f64362f81e)
- - - - -
971d4181 by Adam Jackson at 2018-10-25T13:18:06Z
xserver 1.20.3
Signed-off-by: Adam Jackson <***@redhat.com>
- - - - -
92afe8a7 by Andreas Boll at 2018-10-25T17:54:47Z
Merge tag 'xorg-server-1.20.3' into debian-unstable
xorg-server-1.20.3
- - - - -
2de2bf45 by Andreas Boll at 2018-10-25T17:55:21Z
Bump changelog
- - - - -
3ae799da by Andreas Boll at 2018-10-25T18:15:04Z
Document CVE-2018-14665
- - - - -
9cad8963 by Andreas Boll at 2018-10-25T18:15:29Z
Upload to unstable.
- - - - -
6 changed files:
- configure.ac
- debian/changelog
- hw/xfree86/common/xf86Init.c
- hw/xfree86/fbdevhw/fbdevhw.c
- meson.build
- os/log.c
Changes:
=====================================
configure.ac
=====================================
@@ -26,9 +26,9 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.60)
-AC_INIT([xorg-server], 1.20.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2018-10-15"
-RELEASE_NAME="Tofu Biryani"
+AC_INIT([xorg-server], 1.20.3, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2018-10-25"
+RELEASE_NAME="Harissa Roasted Carrots"
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([foreign dist-bzip2])
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+xorg-server (2:1.20.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ - Disables -logfile and -modulepath when running with elevated
+ privileges (CVE-2018-14665).
+
+ -- Andreas Boll <***@debian.org> Thu, 25 Oct 2018 20:15:23 +0200
+
xorg-server (2:1.20.2-1) unstable; urgency=medium
* New upstream release.
=====================================
hw/xfree86/common/xf86Init.c
=====================================
@@ -1027,14 +1027,18 @@ ddxProcessArgument(int argc, char **argv, int i)
/* First the options that are not allowed with elevated privileges */
if (!strcmp(argv[i], "-modulepath")) {
CHECK_FOR_REQUIRED_ARGUMENT();
- xf86CheckPrivs(argv[i], argv[i + 1]);
+ if (xf86PrivsElevated())
+ FatalError("\nInvalid argument -modulepath "
+ "with elevated privileges\n");
xf86ModulePath = argv[i + 1];
xf86ModPathFrom = X_CMDLINE;
return 2;
}
if (!strcmp(argv[i], "-logfile")) {
CHECK_FOR_REQUIRED_ARGUMENT();
- xf86CheckPrivs(argv[i], argv[i + 1]);
+ if (xf86PrivsElevated())
+ FatalError("\nInvalid argument -logfile "
+ "with elevated privileges\n");
xf86LogFile = argv[i + 1];
xf86LogFileFrom = X_CMDLINE;
return 2;
=====================================
hw/xfree86/fbdevhw/fbdevhw.c
=====================================
@@ -336,7 +336,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep)
char *node = strrchr(dev, '/') + 1;
if (asprintf(&sysfs_path, "/sys/class/graphics/%s", node) < 0 ||
- readlink(sysfs_path, buf, sizeof(buf) < 0) ||
+ readlink(sysfs_path, buf, sizeof(buf)) < 0 ||
strstr(buf, "devices/pci")) {
free(sysfs_path);
close(fd);
=====================================
meson.build
=====================================
@@ -3,7 +3,7 @@ project('xserver', 'c',
'buildtype=debugoptimized',
'c_std=gnu99',
],
- version: '1.20.2',
+ version: '1.20.3',
meson_version: '>= 0.42.0',
)
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: 'c')
=====================================
os/log.c
=====================================
@@ -194,6 +194,8 @@ LogFilePrep(const char *fname, const char *backup, const char *idstring)
{
char *logFileName = NULL;
+ /* the format string below is controlled by the user,
+ this code should never be called with elevated privileges */
if (asprintf(&logFileName, fname, idstring) == -1)
FatalError("Cannot allocate space for the log file name\n");
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/9f6be25a5b6b1f10c471778115679432fe940c2d...9cad896318c78554d982f3d59f022c8ad87f7b61
--
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/9f6be25a5b6b1f10c471778115679432fe940c2d...9cad896318c78554d982f3d59f022c8ad87f7b61
You're receiving this email because of your account on salsa.debian.org.
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/9f6be25a5b6b1f10c471778115679432fe940c2d...9cad896318c78554d982f3d59f022c8ad87f7b61
You're receiving this email because of your account on salsa.debian.org.