X Strike Force X.Org X11 SVN commit: r2370 - in trunk/xserver/xorg-server-1.0.2/debian: . patches
Author: dnusinow
Date: 2006-07-01 17:21:28 -0400 (Sat, 01 Jul 2006)
New Revision: 2370
Added:
trunk/xserver/xorg-server-1.0.2/debian/patches/16_SECURITY_setuid.diff
Modified:
trunk/xserver/xorg-server-1.0.2/debian/changelog
trunk/xserver/xorg-server-1.0.2/debian/patches/series
Log:
* Security update. Fix for setuid privledge escalation vulernabilities.
See http://lists.freedesktop.org/archives/xorg/2006-June/016146.html for
the full advisory.
Modified: trunk/xserver/xorg-server-1.0.2/debian/changelog
===================================================================
--- trunk/xserver/xorg-server-1.0.2/debian/changelog 2006-07-01 21:05:40 UTC (rev 2369)
+++ trunk/xserver/xorg-server-1.0.2/debian/changelog 2006-07-01 21:21:28 UTC (rev 2370)
@@ -1,4 +1,4 @@
-xorg-server (1:1.0.2-9) UNRELEASED; urgency=low
+xorg-server (1:1.0.2-9) UNRELEASED; urgency=high
[ Denis Barbier ]
* Fix 13_debian_add_xkbpath_env_variable.diff, XKBPATH environment
@@ -8,8 +8,11 @@
* Remove two Ubuntu packaging holdovers. Have xvfb recommend xbase-clients
rather than xauth, and have xserver-xorg-core recommend xkb-data rather
than xkeyboard-config. Thanks Sterling MacNay.
+ * Security update. Fix for setuid privledge escalation vulernabilities.
+ See http://lists.freedesktop.org/archives/xorg/2006-June/016146.html for
+ the full advisory.
- -- David Nusinow <dnusinow@debian.org> Wed, 7 Jun 2006 00:41:31 -0400
+ -- David Nusinow <dnusinow@debian.org> Sat, 1 Jul 2006 17:20:45 -0400
xorg-server (1:1.0.2-8) unstable; urgency=low
Added: trunk/xserver/xorg-server-1.0.2/debian/patches/16_SECURITY_setuid.diff
===================================================================
--- trunk/xserver/xorg-server-1.0.2/debian/patches/16_SECURITY_setuid.diff 2006-07-01 21:05:40 UTC (rev 2369)
+++ trunk/xserver/xorg-server-1.0.2/debian/patches/16_SECURITY_setuid.diff 2006-07-01 21:21:28 UTC (rev 2370)
@@ -0,0 +1,92 @@
+Index: xorg-server-1.0.2/hw/xfree86/common/xf86Init.c
+===================================================================
+--- xorg-server-1.0.2.orig/hw/xfree86/common/xf86Init.c 2006-04-11 21:13:59.000000000 -0400
++++ xorg-server-1.0.2/hw/xfree86/common/xf86Init.c 2006-07-01 17:18:50.000000000 -0400
+@@ -1905,7 +1905,11 @@
+ FatalError("xf86RunVtInit: fork failed (%s)\n", strerror(errno));
+ break;
+ case 0: /* child */
+- setuid(getuid());
++ if (setuid(getuid()) == -1) {
++ xf86Msg(X_ERROR, "xf86RunVtInit: setuid failed (%s)\n",
++ strerror(errno));
++ exit(255);
++ }
+ /* set stdin, stdout to the consoleFd */
+ for (i = 0; i < 2; i++) {
+ if (xf86Info.consoleFd != i) {
+Index: xorg-server-1.0.2/hw/xfree86/os-support/shared/libc_wrapper.c
+===================================================================
+--- xorg-server-1.0.2.orig/hw/xfree86/os-support/shared/libc_wrapper.c 2006-04-11 21:13:34.000000000 -0400
++++ xorg-server-1.0.2/hw/xfree86/os-support/shared/libc_wrapper.c 2006-07-01 17:18:50.000000000 -0400
+@@ -1270,7 +1270,10 @@
+ #ifndef SELF_CONTAINED_WRAPPER
+ xf86DisableIO();
+ #endif
+- setuid(getuid());
++ if (setuid(getuid()) == -1) {
++ ErrorF("xf86Execl: setuid() failed: %s\n", strerror(errno));
++ exit(255);
++ }
+ #if !defined(SELF_CONTAINED_WRAPPER)
+ /* set stdin, stdout to the consoleFD, and leave stderr alone */
+ for (i = 0; i < 2; i++)
+Index: xorg-server-1.0.2/hw/xfree86/parser/write.c
+===================================================================
+--- xorg-server-1.0.2.orig/hw/xfree86/parser/write.c 2006-04-11 21:14:00.000000000 -0400
++++ xorg-server-1.0.2/hw/xfree86/parser/write.c 2006-07-01 17:18:50.000000000 -0400
+@@ -170,7 +170,10 @@
+ strerror(errno));
+ return 0;
+ case 0: /* child */
+- setuid(getuid());
++ if (setuid(getuid() == -1)
++ FatalError("xf86writeConfigFile(): "
++ "setuid failed(%s)\n",
++ strerror(errno));
+ ret = doWriteConfigFile(filename, cptr);
+ exit(ret);
+ break;
+Index: xorg-server-1.0.2/os/utils.c
+===================================================================
+--- xorg-server-1.0.2.orig/os/utils.c 2006-07-01 17:16:13.000000000 -0400
++++ xorg-server-1.0.2/os/utils.c 2006-07-01 17:18:50.000000000 -0400
+@@ -1719,8 +1719,10 @@
+ case -1: /* error */
+ p = -1;
+ case 0: /* child */
+- setgid(getgid());
+- setuid(getuid());
++ if (setgid(getgid()) == -1)
++ _exit(127);
++ if (setuid(getuid()) == -1)
++ _exit(127);
+ execl("/bin/sh", "sh", "-c", command, (char *)NULL);
+ _exit(127);
+ default: /* parent */
+@@ -1771,8 +1773,10 @@
+ xfree(cur);
+ return NULL;
+ case 0: /* child */
+- setgid(getgid());
+- setuid(getuid());
++ if (setgid(getgid()) == -1)
++ _exit(127);
++ if (setuid(getuid()) == -1)
++ _exit(127);
+ if (*type == 'r') {
+ if (pdes[1] != 1) {
+ /* stdout */
+@@ -1846,8 +1850,10 @@
+ xfree(cur);
+ return NULL;
+ case 0: /* child */
+- setgid(getgid());
+- setuid(getuid());
++ if (setgid(getgid()) == -1)
++ _exit(127);
++ if (setuid(getuid()) == -1)
++ _exit(127);
+ if (*type == 'r') {
+ if (pdes[1] != 1) {
+ /* stdout */
Modified: trunk/xserver/xorg-server-1.0.2/debian/patches/series
===================================================================
--- trunk/xserver/xorg-server-1.0.2/debian/patches/series 2006-07-01 21:05:40 UTC (rev 2369)
+++ trunk/xserver/xorg-server-1.0.2/debian/patches/series 2006-07-01 21:21:28 UTC (rev 2370)
@@ -13,3 +13,4 @@
13_debian_add_xkbpath_env_variable.diff
14_debian_always_look_in_our_module_path.diff
15_security_allocate_local.diff
+16_SECURITY_setuid.diff
Reply to: