Julien Cristau
2018-10-25 16:42:08 UTC
Julien Cristau pushed to branch debian-stretch at X Strike Force / xserver / xorg-server
Commits:
c921b1f2 by Julien Cristau at 2018-10-15T14:17:59Z
Disable -logfile when running with elevated privileges. Addresses CVE-2018-14665.
- - - - -
6d61e16a by Julien Cristau at 2018-10-25T09:22:17Z
Disable -logfile and -modulepath when running with elevated privileges.
- - - - -
5 changed files:
- debian/changelog
- debian/patches/02_kbsd-input-devd.diff
- debian/patches/03_static-nettle.diff
- + debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium
+
+ * Disable -logfile and -modulepath when running with elevated privileges.
+ Addresses CVE-2018-14665.
+
+ -- Julien Cristau <***@debian.org> Thu, 25 Oct 2018 11:19:09 +0200
+
xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high
* Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
=====================================
debian/patches/02_kbsd-input-devd.diff
=====================================
@@ -25,7 +25,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
--- a/config/Makefile.am
+++ b/config/Makefile.am
-@@ -34,6 +34,10 @@
+@@ -34,6 +34,10 @@ if CONFIG_WSCONS
libconfig_la_SOURCES += wscons.c
endif # CONFIG_WSCONS
@@ -38,7 +38,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
endif # !CONFIG_UDEV
--- a/config/config-backends.h
+++ b/config/config-backends.h
-@@ -44,3 +44,8 @@
+@@ -44,3 +44,8 @@ void config_hal_fini(void);
int config_wscons_init(void);
void config_wscons_fini(void);
#endif
@@ -49,7 +49,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
+#endif
--- a/config/config.c
+++ b/config/config.c
-@@ -55,6 +55,9 @@
+@@ -55,6 +55,9 @@ config_init(void)
#elif defined(CONFIG_WSCONS)
if (!config_wscons_init())
ErrorF("[config] failed to initialise wscons\n");
@@ -59,7 +59,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
#endif
}
-@@ -67,6 +70,8 @@
+@@ -67,6 +70,8 @@ config_fini(void)
config_hal_fini();
#elif defined(CONFIG_WSCONS)
config_wscons_fini();
@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
+}
--- a/configure.ac
+++ b/configure.ac
-@@ -627,6 +627,7 @@
+@@ -631,6 +631,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
-@@ -1017,6 +1018,21 @@
+@@ -1021,6 +1022,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
fi
@@ -478,7 +478,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
AC_MSG_CHECKING([for glibc...])
AC_PREPROC_IFELSE([AC_LANG_SOURCE([
-@@ -2566,7 +2582,7 @@
+@@ -2570,7 +2586,7 @@ AC_SUBST([prefix])
AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep])
@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
Neither HAL nor udev backend will be enabled.
--- a/hw/xfree86/common/xf86Config.c
+++ b/hw/xfree86/common/xf86Config.c
-@@ -1375,15 +1375,18 @@
+@@ -1375,15 +1375,18 @@ checkCoreInputDevices(serverLayoutPtr se
}
if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
"input devices.\n\tIf no devices become available, "
--- a/hw/xfree86/common/xf86Globals.c
+++ b/hw/xfree86/common/xf86Globals.c
-@@ -122,7 +122,8 @@
+@@ -122,7 +122,8 @@ xf86InfoRec xf86Info = {
.pmFlag = TRUE,
.disableRandR = FALSE,
.randRFrom = X_DEFAULT,
@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
.autoEnableDevices = TRUE,
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
-@@ -445,6 +445,9 @@
+@@ -454,6 +454,9 @@
/* Enable systemd-logind integration */
#undef SYSTEMD_LOGIND 1
=====================================
debian/patches/03_static-nettle.diff
=====================================
@@ -4,7 +4,7 @@ There's no libnettle udeb.
--- a/configure.ac
+++ b/configure.ac
-@@ -1725,7 +1725,7 @@ fi
+@@ -1695,7 +1695,7 @@ fi
if test "x$with_sha1" = xlibnettle; then
AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
[Use libnettle SHA1 functions])
=====================================
debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
=====================================
@@ -0,0 +1,39 @@
+From: Matthieu Herrb <***@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH xserver] Disable -logfile and -modulepath when running with elevated privileges.
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <***@herrb.eu>
+Reviewed-by: Alan Coopersmith <***@oracle.com>
+Reviewed-by: Peter Hutterer <***@who-t.net>
+
+--- xorg-server.orig/hw/xfree86/common/xf86Init.c
++++ xorg-server/hw/xfree86/common/xf86Init.c
+@@ -1134,14 +1134,18 @@ ddxProcessArgument(int argc, char **argv
+ /* First the options that are not allowed with elevated privileges */
+ if (!strcmp(argv[i], "-modulepath")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -modulepath "
++ "with elevated privileges\n");
+ xf86ModulePath = argv[i + 1];
+ xf86ModPathFrom = X_CMDLINE;
+ return 2;
+ }
+ if (!strcmp(argv[i], "-logfile")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -logfile "
++ "with elevated privileges\n");
+ xf86LogFile = argv[i + 1];
+ xf86LogFileFrom = X_CMDLINE;
+ return 2;
=====================================
debian/patches/series
=====================================
@@ -9,3 +9,4 @@
08_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
09_Xi-Do-not-try-to-swap-GenericEvent.patch
10_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
+11_xfree86-Disable-logfile-and-modulepath.patch
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/bfd7a722e8131c219cd9411a17759cd8d4493d3a...6d61e16ad0c3c7e64859efb7d9ab0a7da5f3bcc4
Commits:
c921b1f2 by Julien Cristau at 2018-10-15T14:17:59Z
Disable -logfile when running with elevated privileges. Addresses CVE-2018-14665.
- - - - -
6d61e16a by Julien Cristau at 2018-10-25T09:22:17Z
Disable -logfile and -modulepath when running with elevated privileges.
- - - - -
5 changed files:
- debian/changelog
- debian/patches/02_kbsd-input-devd.diff
- debian/patches/03_static-nettle.diff
- + debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium
+
+ * Disable -logfile and -modulepath when running with elevated privileges.
+ Addresses CVE-2018-14665.
+
+ -- Julien Cristau <***@debian.org> Thu, 25 Oct 2018 11:19:09 +0200
+
xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high
* Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
=====================================
debian/patches/02_kbsd-input-devd.diff
=====================================
@@ -25,7 +25,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
--- a/config/Makefile.am
+++ b/config/Makefile.am
-@@ -34,6 +34,10 @@
+@@ -34,6 +34,10 @@ if CONFIG_WSCONS
libconfig_la_SOURCES += wscons.c
endif # CONFIG_WSCONS
@@ -38,7 +38,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
endif # !CONFIG_UDEV
--- a/config/config-backends.h
+++ b/config/config-backends.h
-@@ -44,3 +44,8 @@
+@@ -44,3 +44,8 @@ void config_hal_fini(void);
int config_wscons_init(void);
void config_wscons_fini(void);
#endif
@@ -49,7 +49,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
+#endif
--- a/config/config.c
+++ b/config/config.c
-@@ -55,6 +55,9 @@
+@@ -55,6 +55,9 @@ config_init(void)
#elif defined(CONFIG_WSCONS)
if (!config_wscons_init())
ErrorF("[config] failed to initialise wscons\n");
@@ -59,7 +59,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
#endif
}
-@@ -67,6 +70,8 @@
+@@ -67,6 +70,8 @@ config_fini(void)
config_hal_fini();
#elif defined(CONFIG_WSCONS)
config_wscons_fini();
@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
+}
--- a/configure.ac
+++ b/configure.ac
-@@ -627,6 +627,7 @@
+@@ -631,6 +631,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
-@@ -1017,6 +1018,21 @@
+@@ -1021,6 +1022,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
fi
@@ -478,7 +478,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
AC_MSG_CHECKING([for glibc...])
AC_PREPROC_IFELSE([AC_LANG_SOURCE([
-@@ -2566,7 +2582,7 @@
+@@ -2570,7 +2586,7 @@ AC_SUBST([prefix])
AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep])
@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
Neither HAL nor udev backend will be enabled.
--- a/hw/xfree86/common/xf86Config.c
+++ b/hw/xfree86/common/xf86Config.c
-@@ -1375,15 +1375,18 @@
+@@ -1375,15 +1375,18 @@ checkCoreInputDevices(serverLayoutPtr se
}
if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
"input devices.\n\tIf no devices become available, "
--- a/hw/xfree86/common/xf86Globals.c
+++ b/hw/xfree86/common/xf86Globals.c
-@@ -122,7 +122,8 @@
+@@ -122,7 +122,8 @@ xf86InfoRec xf86Info = {
.pmFlag = TRUE,
.disableRandR = FALSE,
.randRFrom = X_DEFAULT,
@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <***@debian.org>
.autoEnableDevices = TRUE,
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
-@@ -445,6 +445,9 @@
+@@ -454,6 +454,9 @@
/* Enable systemd-logind integration */
#undef SYSTEMD_LOGIND 1
=====================================
debian/patches/03_static-nettle.diff
=====================================
@@ -4,7 +4,7 @@ There's no libnettle udeb.
--- a/configure.ac
+++ b/configure.ac
-@@ -1725,7 +1725,7 @@ fi
+@@ -1695,7 +1695,7 @@ fi
if test "x$with_sha1" = xlibnettle; then
AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
[Use libnettle SHA1 functions])
=====================================
debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
=====================================
@@ -0,0 +1,39 @@
+From: Matthieu Herrb <***@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH xserver] Disable -logfile and -modulepath when running with elevated privileges.
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <***@herrb.eu>
+Reviewed-by: Alan Coopersmith <***@oracle.com>
+Reviewed-by: Peter Hutterer <***@who-t.net>
+
+--- xorg-server.orig/hw/xfree86/common/xf86Init.c
++++ xorg-server/hw/xfree86/common/xf86Init.c
+@@ -1134,14 +1134,18 @@ ddxProcessArgument(int argc, char **argv
+ /* First the options that are not allowed with elevated privileges */
+ if (!strcmp(argv[i], "-modulepath")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -modulepath "
++ "with elevated privileges\n");
+ xf86ModulePath = argv[i + 1];
+ xf86ModPathFrom = X_CMDLINE;
+ return 2;
+ }
+ if (!strcmp(argv[i], "-logfile")) {
+ CHECK_FOR_REQUIRED_ARGUMENT();
+- xf86CheckPrivs(argv[i], argv[i + 1]);
++ if (xf86PrivsElevated())
++ FatalError("\nInvalid argument -logfile "
++ "with elevated privileges\n");
+ xf86LogFile = argv[i + 1];
+ xf86LogFileFrom = X_CMDLINE;
+ return 2;
=====================================
debian/patches/series
=====================================
@@ -9,3 +9,4 @@
08_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
09_Xi-Do-not-try-to-swap-GenericEvent.patch
10_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
+11_xfree86-Disable-logfile-and-modulepath.patch
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/bfd7a722e8131c219cd9411a17759cd8d4493d3a...6d61e16ad0c3c7e64859efb7d9ab0a7da5f3bcc4
--
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/bfd7a722e8131c219cd9411a17759cd8d4493d3a...6d61e16ad0c3c7e64859efb7d9ab0a7da5f3bcc4
You're receiving this email because of your account on salsa.debian.org.
View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/bfd7a722e8131c219cd9411a17759cd8d4493d3a...6d61e16ad0c3c7e64859efb7d9ab0a7da5f3bcc4
You're receiving this email because of your account on salsa.debian.org.