Andreas Boll pushed to branch upstream-unstable at X Strike Force / xserver / xorg-server
Commits: cfc3dec0 by Peter Hutterer at 2018-10-16T14:22:05Z xfree86: fix readlink call Misplaced parenthesis caused us to compare the sizeof, not the readlink return value. Signed-off-by: Peter Hutterer <peter.hutte...@who-t.net> (cherry picked from commit bd5fe7593fd0df236f3b2be1f062166ddba7d67c) - - - - - 8a59e3b7 by Matthieu Herrb at 2018-10-25T13:18:06Z Disable -logfile and -modulepath when running with elevated privileges Could cause privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user). CVE-2018-14665 Issue reported by Narendra Shinde and Red Hat. Signed-off-by: Matthieu Herrb <matth...@herrb.eu> Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net> Reviewed-by: Adam Jackson <a...@redhat.com> (cherry picked from commit 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e) - - - - - da15c741 by Matthieu Herrb at 2018-10-25T13:18:06Z LogFilePrep: add a comment to the unsafe format string. CVE-2018-14665 also made it possible to exploit this to access memory. With -logfile forbidden when running with elevated privileges this is no longer an issue. Signed-off-by: Matthieu Herrb <matth...@herrb.eu> Reviewed-by: Adam Jackson <a...@redhat.com> (cherry picked from commit 248d164eae27f1f310266d78e52f13f64362f81e) - - - - - 971d4181 by Adam Jackson at 2018-10-25T13:18:06Z xserver 1.20.3 Signed-off-by: Adam Jackson <a...@redhat.com> - - - - - 5 changed files: - configure.ac - hw/xfree86/common/xf86Init.c - hw/xfree86/fbdevhw/fbdevhw.c - meson.build - os/log.c Changes: ===================================== configure.ac ===================================== @@ -26,9 +26,9 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.20.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) -RELEASE_DATE="2018-10-15" -RELEASE_NAME="Tofu Biryani" +AC_INIT([xorg-server], 1.20.3, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) +RELEASE_DATE="2018-10-25" +RELEASE_NAME="Harissa Roasted Carrots" AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([foreign dist-bzip2]) ===================================== hw/xfree86/common/xf86Init.c ===================================== @@ -1027,14 +1027,18 @@ ddxProcessArgument(int argc, char **argv, int i) /* First the options that are not allowed with elevated privileges */ if (!strcmp(argv[i], "-modulepath")) { CHECK_FOR_REQUIRED_ARGUMENT(); - xf86CheckPrivs(argv[i], argv[i + 1]); + if (xf86PrivsElevated()) + FatalError("\nInvalid argument -modulepath " + "with elevated privileges\n"); xf86ModulePath = argv[i + 1]; xf86ModPathFrom = X_CMDLINE; return 2; } if (!strcmp(argv[i], "-logfile")) { CHECK_FOR_REQUIRED_ARGUMENT(); - xf86CheckPrivs(argv[i], argv[i + 1]); + if (xf86PrivsElevated()) + FatalError("\nInvalid argument -logfile " + "with elevated privileges\n"); xf86LogFile = argv[i + 1]; xf86LogFileFrom = X_CMDLINE; return 2; ===================================== hw/xfree86/fbdevhw/fbdevhw.c ===================================== @@ -336,7 +336,7 @@ fbdev_open(int scrnIndex, const char *dev, char **namep) char *node = strrchr(dev, '/') + 1; if (asprintf(&sysfs_path, "/sys/class/graphics/%s", node) < 0 || - readlink(sysfs_path, buf, sizeof(buf) < 0) || + readlink(sysfs_path, buf, sizeof(buf)) < 0 || strstr(buf, "devices/pci")) { free(sysfs_path); close(fd); ===================================== meson.build ===================================== @@ -3,7 +3,7 @@ project('xserver', 'c', 'buildtype=debugoptimized', 'c_std=gnu99', ], - version: '1.20.2', + version: '1.20.3', meson_version: '>= 0.42.0', ) add_project_arguments('-DHAVE_DIX_CONFIG_H', language: 'c') ===================================== os/log.c ===================================== @@ -194,6 +194,8 @@ LogFilePrep(const char *fname, const char *backup, const char *idstring) { char *logFileName = NULL; + /* the format string below is controlled by the user, + this code should never be called with elevated privileges */ if (asprintf(&logFileName, fname, idstring) == -1) FatalError("Cannot allocate space for the log file name\n"); View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/2a0c6c15c35cd262e7cdb86dcc43cb1aeb714c8e...971d418113740cae2d7d393850bad4926d1a7e86 -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/compare/2a0c6c15c35cd262e7cdb86dcc43cb1aeb714c8e...971d418113740cae2d7d393850bad4926d1a7e86 You're receiving this email because of your account on salsa.debian.org.