[Git][xorg-team/xserver/xorg-server][debian-stretch] 2 commits: Disable -logfile when running with elevated privileges. Addresses CVE-2018-14665.

[Julien Cristau <jcristau@debian.org>]

Title: GitLab

Julien Cristau pushed to branch debian-stretch at X Strike Force / xserver / xorg-server

Commits:

• c921b1f2
  by Julien Cristau at 2018-10-15T14:17:59Z

  Disable -logfile when running with elevated privileges. Addresses CVE-2018-14665.
  

• 6d61e16a
  by Julien Cristau at 2018-10-25T09:22:17Z

  Disable -logfile and -modulepath when running with elevated privileges.
  

5 changed files:

• debian/changelog
• debian/patches/02_kbsd-input-devd.diff
• debian/patches/03_static-nettle.diff
• + debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch
• debian/patches/series

Changes:

debian/changelog

---

	1	+xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium
	2	+
	3	+ * Disable -logfile and -modulepath when running with elevated privileges.
	4	+ Addresses CVE-2018-14665.
	5	+
	6	+ -- Julien Cristau <jcristau@debian.org> Thu, 25 Oct 2018 11:19:09 +0200
	7	+
1	8	xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high
2	9
3	10	* Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

debian/patches/02_kbsd-input-devd.diff

---

...	...	@@ -25,7 +25,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
25	25
26	26	--- a/config/Makefile.am
27	27	+++ b/config/Makefile.am
28		-@@ -34,6 +34,10 @@
	28	+@@ -34,6 +34,10 @@ if CONFIG_WSCONS
29	29	libconfig_la_SOURCES += wscons.c
30	30	endif # CONFIG_WSCONS
31	31
...	...	@@ -38,7 +38,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
38	38	endif # !CONFIG_UDEV
39	39	--- a/config/config-backends.h
40	40	+++ b/config/config-backends.h
41		-@@ -44,3 +44,8 @@
	41	+@@ -44,3 +44,8 @@ void config_hal_fini(void);
42	42	int config_wscons_init(void);
43	43	void config_wscons_fini(void);
44	44	#endif
...	...	@@ -49,7 +49,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
49	49	+#endif
50	50	--- a/config/config.c
51	51	+++ b/config/config.c
52		-@@ -55,6 +55,9 @@
	52	+@@ -55,6 +55,9 @@ config_init(void)
53	53	#elif defined(CONFIG_WSCONS)
54	54	if (!config_wscons_init())
55	55	ErrorF("[config] failed to initialise wscons\n");
...	...	@@ -59,7 +59,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
59	59	#endif
60	60	}
61	61
62		-@@ -67,6 +70,8 @@
	62	+@@ -67,6 +70,8 @@ config_fini(void)
63	63	config_hal_fini();
64	64	#elif defined(CONFIG_WSCONS)
65	65	config_wscons_fini();
...	...	@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
448	448	+}
449	449	--- a/configure.ac
450	450	+++ b/configure.ac
451		-@@ -627,6 +627,7 @@
	451	+@@ -631,6 +631,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
452	452	AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
453	453	AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
454	454	AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
...	...	@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
456	456	AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
457	457	AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
458	458	AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
459		-@@ -1017,6 +1018,21 @@
	459	+@@ -1021,6 +1022,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
460	460	AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
461	461	fi
462	462
...	...	@@ -478,7 +478,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
478	478
479	479	AC_MSG_CHECKING([for glibc...])
480	480	AC_PREPROC_IFELSE([AC_LANG_SOURCE([
481		-@@ -2566,7 +2582,7 @@
	481	+@@ -2570,7 +2586,7 @@ AC_SUBST([prefix])
482	482
483	483	AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep])
484	484
...	...	@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
489	489	Neither HAL nor udev backend will be enabled.
490	490	--- a/hw/xfree86/common/xf86Config.c
491	491	+++ b/hw/xfree86/common/xf86Config.c
492		-@@ -1375,15 +1375,18 @@
	492	+@@ -1375,15 +1375,18 @@ checkCoreInputDevices(serverLayoutPtr se
493	493	}
494	494
495	495	if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
...	...	@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
512	512	"input devices.\n\tIf no devices become available, "
513	513	--- a/hw/xfree86/common/xf86Globals.c
514	514	+++ b/hw/xfree86/common/xf86Globals.c
515		-@@ -122,7 +122,8 @@
	515	+@@ -122,7 +122,8 @@ xf86InfoRec xf86Info = {
516	516	.pmFlag = TRUE,
517	517	.disableRandR = FALSE,
518	518	.randRFrom = X_DEFAULT,
...	...	@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
524	524	.autoEnableDevices = TRUE,
525	525	--- a/include/dix-config.h.in
526	526	+++ b/include/dix-config.h.in
527		-@@ -445,6 +445,9 @@
	527	+@@ -454,6 +454,9 @@
528	528	/* Enable systemd-logind integration */
529	529	#undef SYSTEMD_LOGIND 1
530	530

debian/patches/03_static-nettle.diff

---

...	...	@@ -4,7 +4,7 @@ There's no libnettle udeb.
4	4
5	5	--- a/configure.ac
6	6	+++ b/configure.ac
7		-@@ -1725,7 +1725,7 @@ fi
	7	+@@ -1695,7 +1695,7 @@ fi
8	8	if test "x$with_sha1" = xlibnettle; then
9	9	AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
10	10	[Use libnettle SHA1 functions])

debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch

---

	1	+From: Matthieu Herrb <matthieu@herrb.eu>
	2	+Date: Tue, 23 Oct 2018 21:29:08 +0200
	3	+Subject: [PATCH xserver] Disable -logfile and -modulepath when running with elevated privileges.
	4	+
	5	+Could cause privilege elevation and/or arbitrary files overwrite, when
	6	+the X server is running with elevated privileges (ie when Xorg is
	7	+installed with the setuid bit set and started by a non-root user).
	8	+
	9	+CVE-2018-14665
	10	+
	11	+Issue reported by Narendra Shinde and Red Hat.
	12	+
	13	+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
	14	+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	15	+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	16	+
	17	+--- xorg-server.orig/hw/xfree86/common/xf86Init.c
	18	++++ xorg-server/hw/xfree86/common/xf86Init.c
	19	+@@ -1134,14 +1134,18 @@ ddxProcessArgument(int argc, char **argv
	20	+ /* First the options that are not allowed with elevated privileges */
	21	+ if (!strcmp(argv[i], "-modulepath")) {
	22	+ CHECK_FOR_REQUIRED_ARGUMENT();
	23	+- xf86CheckPrivs(argv[i], argv[i + 1]);
	24	++ if (xf86PrivsElevated())
	25	++ FatalError("\nInvalid argument -modulepath "
	26	++ "with elevated privileges\n");
	27	+ xf86ModulePath = argv[i + 1];
	28	+ xf86ModPathFrom = X_CMDLINE;
	29	+ return 2;
	30	+ }
	31	+ if (!strcmp(argv[i], "-logfile")) {
	32	+ CHECK_FOR_REQUIRED_ARGUMENT();
	33	+- xf86CheckPrivs(argv[i], argv[i + 1]);
	34	++ if (xf86PrivsElevated())
	35	++ FatalError("\nInvalid argument -logfile "
	36	++ "with elevated privileges\n");
	37	+ xf86LogFile = argv[i + 1];
	38	+ xf86LogFileFrom = X_CMDLINE;
	39	+ return 2;

debian/patches/series

---

...	...	@@ -9,3 +9,4 @@
9	9	08_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
10	10	09_Xi-Do-not-try-to-swap-GenericEvent.patch
11	11	10_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
	12	+11_xfree86-Disable-logfile-and-modulepath.patch

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.