xserver-xorg: fix CVE-2018-14665

Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user). The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process. The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option. (From OE-Core rev: 14b5854d50c38e94fc0d1ce6af36698fc69f52b4) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2018-11-01 11:15:58 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-01 13:27:26 +0000
commit: 411184bfaa6269bf2926bb2a576c0922958cbbb3 (patch)
tree: 8ec9a320e9375109287bfe62b022bf84cba58600
parent: 50614214097f90f53cedb1cd317098b025a57885 (diff)
download: poky-411184bfaa6269bf2926bb2a576c0922958cbbb3.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
new file mode 100644
index 0000000000..7f6235b432
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
@@ -0,0 +1,62 @@
+Incorrect command-line parameter validation in the Xorg X server can lead to
+privilege elevation and/or arbitrary files overwrite, when the X server is
+running with elevated privileges (ie when Xorg is installed with the setuid bit
+set and started by a non-root user). The -modulepath argument can be used to
+specify an insecure path to modules that are going to be loaded in the X server,
+allowing to execute unprivileged code in the privileged process. The -logfile
+argument can be used to overwrite arbitrary files in the file system, due to
+incorrect checks in the parsing of the option.
+CVE: CVE-2018-14665
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
+ privileges
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+CVE-2018-14665
+Issue reported by Narendra Shinde and Red Hat.
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ hw/xfree86/common/xf86Init.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
+index 6c25eda73..0f57efa86 100644
+--- a/hw/xfree86/common/xf86Init.c
+++ b/hw/xfree86/common/xf86Init.c
+@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
+     /* First the options that are not allowed with elevated privileges */
+     if (!strcmp(argv[i], "-modulepath")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
+        if (xf86PrivsElevated())
+              FatalError("\nInvalid argument -modulepath "
+                "with elevated privileges\n");
+         xf86ModulePath = argv[i + 1];
+         xf86ModPathFrom = X_CMDLINE;
+         return 2;
+     }
+     if (!strcmp(argv[i], "-logfile")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
+        if (xf86PrivsElevated())
+              FatalError("\nInvalid argument -logfile "
+                "with elevated privileges\n");
+         xf86LogFile = argv[i + 1];
+         xf86LogFileFrom = X_CMDLINE;
+         return 2;
+-- 
+2.18.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
index cfdaf73175..9fd2e8d870 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
@@ -3,6 +3,7 @@ require xserver-xorg.inc
 SRC_URI += "file://musl-arm-inb-outb.patch \
            file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
            file://pkgconfig.patch \
+            file://CVE-2018-14665.patch \
            "
 SRC_URI[md5sum] = "e525846d1d0af5732ba835f2e2ec066d"
 SRC_URI[sha256sum] = "59c99fe86fe75b8164c6567bfc6e982aecc2e4a51e6fbac1b842d5d00549e918"
author	Ross Burton <ross.burton@intel.com>	2018-11-01 11:15:58 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-01 13:27:26 +0000
commit	411184bfaa6269bf2926bb2a576c0922958cbbb3 (patch)
tree	8ec9a320e9375109287bfe62b022bf84cba58600
parent	50614214097f90f53cedb1cd317098b025a57885 (diff)
download	poky-411184bfaa6269bf2926bb2a576c0922958cbbb3.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch new file mode 100644 index 0000000000..7f6235b432 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
@@ -0,0 +1,62 @@
		1	Incorrect command-line parameter validation in the Xorg X server can lead to
		2	privilege elevation and/or arbitrary files overwrite, when the X server is
		3	running with elevated privileges (ie when Xorg is installed with the setuid bit
		4	set and started by a non-root user). The -modulepath argument can be used to
		5	specify an insecure path to modules that are going to be loaded in the X server,
		6	allowing to execute unprivileged code in the privileged process. The -logfile
		7	argument can be used to overwrite arbitrary files in the file system, due to
		8	incorrect checks in the parsing of the option.
		9
		10	CVE: CVE-2018-14665
		11	Upstream-Status: Backport
		12	Signed-off-by: Ross Burton <ross.burton@intel.com>
		13
		14	From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
		15	From: Matthieu Herrb <matthieu@herrb.eu>
		16	Date: Tue, 23 Oct 2018 21:29:08 +0200
		17	Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
		18	privileges
		19
		20	Could cause privilege elevation and/or arbitrary files overwrite, when
		21	the X server is running with elevated privileges (ie when Xorg is
		22	installed with the setuid bit set and started by a non-root user).
		23
		24	CVE-2018-14665
		25
		26	Issue reported by Narendra Shinde and Red Hat.
		27
		28	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		29	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		30	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		31	Reviewed-by: Adam Jackson <ajax@redhat.com>
		32	---
		33	hw/xfree86/common/xf86Init.c \| 8 ++++++--
		34	1 file changed, 6 insertions(+), 2 deletions(-)
		35
		36	diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
		37	index 6c25eda73..0f57efa86 100644
		38	--- a/hw/xfree86/common/xf86Init.c
		39	+++ b/hw/xfree86/common/xf86Init.c
		40	@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
		41	/* First the options that are not allowed with elevated privileges */
		42	if (!strcmp(argv[i], "-modulepath")) {
		43	CHECK_FOR_REQUIRED_ARGUMENT();
		44	- xf86CheckPrivs(argv[i], argv[i + 1]);
		45	+ if (xf86PrivsElevated())
		46	+ FatalError("\nInvalid argument -modulepath "
		47	+ "with elevated privileges\n");
		48	xf86ModulePath = argv[i + 1];
		49	xf86ModPathFrom = X_CMDLINE;
		50	return 2;
		51	}
		52	if (!strcmp(argv[i], "-logfile")) {
		53	CHECK_FOR_REQUIRED_ARGUMENT();
		54	- xf86CheckPrivs(argv[i], argv[i + 1]);
		55	+ if (xf86PrivsElevated())
		56	+ FatalError("\nInvalid argument -logfile "
		57	+ "with elevated privileges\n");
		58	xf86LogFile = argv[i + 1];
		59	xf86LogFileFrom = X_CMDLINE;
		60	return 2;
		61	--
		62	2.18.1


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb index cfdaf73175..9fd2e8d870 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
@@ -3,6 +3,7 @@ require xserver-xorg.inc
3	SRC_URI += "file://musl-arm-inb-outb.patch \	3	SRC_URI += "file://musl-arm-inb-outb.patch \
4	file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \	4	file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
5	file://pkgconfig.patch \	5	file://pkgconfig.patch \
		6	file://CVE-2018-14665.patch \
6	"	7	"
7	SRC_URI[md5sum] = "e525846d1d0af5732ba835f2e2ec066d"	8	SRC_URI[md5sum] = "e525846d1d0af5732ba835f2e2ec066d"
8	SRC_URI[sha256sum] = "59c99fe86fe75b8164c6567bfc6e982aecc2e4a51e6fbac1b842d5d00549e918"	9	SRC_URI[sha256sum] = "59c99fe86fe75b8164c6567bfc6e982aecc2e4a51e6fbac1b842d5d00549e918"