Julien Cristau pushed to branch debian-stretch at X Strike Force / xserver / xorg-server
Commits:
-
c921b1f2
by Julien Cristau at 2018-10-15T14:17:59Z
-
6d61e16a
by Julien Cristau at 2018-10-25T09:22:17Z
5 changed files:
- debian/changelog
- debian/patches/02_kbsd-input-devd.diff
- debian/patches/03_static-nettle.diff
- + debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
- debian/patches/series
Changes:
1 |
+xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium
|
|
2 |
+ |
|
3 |
+ * Disable -logfile and -modulepath when running with elevated privileges.
|
|
4 |
+ Addresses CVE-2018-14665.
|
|
5 |
+ |
|
6 |
+ -- Julien Cristau <jcristau@debian.org> Thu, 25 Oct 2018 11:19:09 +0200
|
|
7 |
+ |
|
1 | 8 |
xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high
|
2 | 9 |
|
3 | 10 |
* Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
|
... | ... | @@ -25,7 +25,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
25 | 25 |
|
26 | 26 |
--- a/config/Makefile.am
|
27 | 27 |
+++ b/config/Makefile.am
|
28 |
-@@ -34,6 +34,10 @@
|
|
28 |
+@@ -34,6 +34,10 @@ if CONFIG_WSCONS
|
|
29 | 29 |
libconfig_la_SOURCES += wscons.c
|
30 | 30 |
endif # CONFIG_WSCONS
|
31 | 31 |
|
... | ... | @@ -38,7 +38,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
38 | 38 |
endif # !CONFIG_UDEV
|
39 | 39 |
--- a/config/config-backends.h
|
40 | 40 |
+++ b/config/config-backends.h
|
41 |
-@@ -44,3 +44,8 @@
|
|
41 |
+@@ -44,3 +44,8 @@ void config_hal_fini(void);
|
|
42 | 42 |
int config_wscons_init(void);
|
43 | 43 |
void config_wscons_fini(void);
|
44 | 44 |
#endif
|
... | ... | @@ -49,7 +49,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
49 | 49 |
+#endif
|
50 | 50 |
--- a/config/config.c
|
51 | 51 |
+++ b/config/config.c
|
52 |
-@@ -55,6 +55,9 @@
|
|
52 |
+@@ -55,6 +55,9 @@ config_init(void)
|
|
53 | 53 |
#elif defined(CONFIG_WSCONS)
|
54 | 54 |
if (!config_wscons_init())
|
55 | 55 |
ErrorF("[config] failed to initialise wscons\n");
|
... | ... | @@ -59,7 +59,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
59 | 59 |
#endif
|
60 | 60 |
}
|
61 | 61 |
|
62 |
-@@ -67,6 +70,8 @@
|
|
62 |
+@@ -67,6 +70,8 @@ config_fini(void)
|
|
63 | 63 |
config_hal_fini();
|
64 | 64 |
#elif defined(CONFIG_WSCONS)
|
65 | 65 |
config_wscons_fini();
|
... | ... | @@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
448 | 448 |
+}
|
449 | 449 |
--- a/configure.ac
|
450 | 450 |
+++ b/configure.ac
|
451 |
-@@ -627,6 +627,7 @@
|
|
451 |
+@@ -631,6 +631,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
|
|
452 | 452 |
AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
|
453 | 453 |
AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
|
454 | 454 |
AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
|
... | ... | @@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
456 | 456 |
AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
|
457 | 457 |
AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
|
458 | 458 |
AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
|
459 |
-@@ -1017,6 +1018,21 @@
|
|
459 |
+@@ -1021,6 +1022,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
|
|
460 | 460 |
AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
|
461 | 461 |
fi
|
462 | 462 |
|
... | ... | @@ -478,7 +478,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
478 | 478 |
|
479 | 479 |
AC_MSG_CHECKING([for glibc...])
|
480 | 480 |
AC_PREPROC_IFELSE([AC_LANG_SOURCE([
|
481 |
-@@ -2566,7 +2582,7 @@
|
|
481 |
+@@ -2570,7 +2586,7 @@ AC_SUBST([prefix])
|
|
482 | 482 |
|
483 | 483 |
AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep])
|
484 | 484 |
|
... | ... | @@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
489 | 489 |
Neither HAL nor udev backend will be enabled.
|
490 | 490 |
--- a/hw/xfree86/common/xf86Config.c
|
491 | 491 |
+++ b/hw/xfree86/common/xf86Config.c
|
492 |
-@@ -1375,15 +1375,18 @@
|
|
492 |
+@@ -1375,15 +1375,18 @@ checkCoreInputDevices(serverLayoutPtr se
|
|
493 | 493 |
}
|
494 | 494 |
|
495 | 495 |
if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
|
... | ... | @@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
512 | 512 |
"input devices.\n\tIf no devices become available, "
|
513 | 513 |
--- a/hw/xfree86/common/xf86Globals.c
|
514 | 514 |
+++ b/hw/xfree86/common/xf86Globals.c
|
515 |
-@@ -122,7 +122,8 @@
|
|
515 |
+@@ -122,7 +122,8 @@ xf86InfoRec xf86Info = {
|
|
516 | 516 |
.pmFlag = TRUE,
|
517 | 517 |
.disableRandR = FALSE,
|
518 | 518 |
.randRFrom = X_DEFAULT,
|
... | ... | @@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org> |
524 | 524 |
.autoEnableDevices = TRUE,
|
525 | 525 |
--- a/include/dix-config.h.in
|
526 | 526 |
+++ b/include/dix-config.h.in
|
527 |
-@@ -445,6 +445,9 @@
|
|
527 |
+@@ -454,6 +454,9 @@
|
|
528 | 528 |
/* Enable systemd-logind integration */
|
529 | 529 |
#undef SYSTEMD_LOGIND 1
|
530 | 530 |
|
... | ... | @@ -4,7 +4,7 @@ There's no libnettle udeb. |
4 | 4 |
|
5 | 5 |
--- a/configure.ac
|
6 | 6 |
+++ b/configure.ac
|
7 |
-@@ -1725,7 +1725,7 @@ fi
|
|
7 |
+@@ -1695,7 +1695,7 @@ fi
|
|
8 | 8 |
if test "x$with_sha1" = xlibnettle; then
|
9 | 9 |
AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
|
10 | 10 |
[Use libnettle SHA1 functions])
|
1 |
+From: Matthieu Herrb <matthieu@herrb.eu>
|
|
2 |
+Date: Tue, 23 Oct 2018 21:29:08 +0200
|
|
3 |
+Subject: [PATCH xserver] Disable -logfile and -modulepath when running with elevated privileges.
|
|
4 |
+ |
|
5 |
+Could cause privilege elevation and/or arbitrary files overwrite, when
|
|
6 |
+the X server is running with elevated privileges (ie when Xorg is
|
|
7 |
+installed with the setuid bit set and started by a non-root user).
|
|
8 |
+ |
|
9 |
+CVE-2018-14665
|
|
10 |
+ |
|
11 |
+Issue reported by Narendra Shinde and Red Hat.
|
|
12 |
+ |
|
13 |
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
14 |
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
15 |
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
16 |
+ |
|
17 |
+--- xorg-server.orig/hw/xfree86/common/xf86Init.c
|
|
18 |
++++ xorg-server/hw/xfree86/common/xf86Init.c
|
|
19 |
+@@ -1134,14 +1134,18 @@ ddxProcessArgument(int argc, char **argv
|
|
20 |
+ /* First the options that are not allowed with elevated privileges */
|
|
21 |
+ if (!strcmp(argv[i], "-modulepath")) {
|
|
22 |
+ CHECK_FOR_REQUIRED_ARGUMENT();
|
|
23 |
+- xf86CheckPrivs(argv[i], argv[i + 1]);
|
|
24 |
++ if (xf86PrivsElevated())
|
|
25 |
++ FatalError("\nInvalid argument -modulepath "
|
|
26 |
++ "with elevated privileges\n");
|
|
27 |
+ xf86ModulePath = argv[i + 1];
|
|
28 |
+ xf86ModPathFrom = X_CMDLINE;
|
|
29 |
+ return 2;
|
|
30 |
+ }
|
|
31 |
+ if (!strcmp(argv[i], "-logfile")) {
|
|
32 |
+ CHECK_FOR_REQUIRED_ARGUMENT();
|
|
33 |
+- xf86CheckPrivs(argv[i], argv[i + 1]);
|
|
34 |
++ if (xf86PrivsElevated())
|
|
35 |
++ FatalError("\nInvalid argument -logfile "
|
|
36 |
++ "with elevated privileges\n");
|
|
37 |
+ xf86LogFile = argv[i + 1];
|
|
38 |
+ xf86LogFileFrom = X_CMDLINE;
|
|
39 |
+ return 2;
|
... | ... | @@ -9,3 +9,4 @@ |
9 | 9 |
08_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
|
10 | 10 |
09_Xi-Do-not-try-to-swap-GenericEvent.patch
|
11 | 11 |
10_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
|
12 |
+11_xfree86-Disable-logfile-and-modulepath.patch
|