summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch62
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.3.bb (renamed from meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb)5
2 files changed, 2 insertions, 65 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
deleted file mode 100644
index 7f6235b432..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
+++ /dev/null
@@ -1,62 +0,0 @@
1Incorrect command-line parameter validation in the Xorg X server can lead to
2privilege elevation and/or arbitrary files overwrite, when the X server is
3running with elevated privileges (ie when Xorg is installed with the setuid bit
4set and started by a non-root user). The -modulepath argument can be used to
5specify an insecure path to modules that are going to be loaded in the X server,
6allowing to execute unprivileged code in the privileged process. The -logfile
7argument can be used to overwrite arbitrary files in the file system, due to
8incorrect checks in the parsing of the option.
9
10CVE: CVE-2018-14665
11Upstream-Status: Backport
12Signed-off-by: Ross Burton <ross.burton@intel.com>
13
14From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
15From: Matthieu Herrb <matthieu@herrb.eu>
16Date: Tue, 23 Oct 2018 21:29:08 +0200
17Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
18 privileges
19
20Could cause privilege elevation and/or arbitrary files overwrite, when
21the X server is running with elevated privileges (ie when Xorg is
22installed with the setuid bit set and started by a non-root user).
23
24CVE-2018-14665
25
26Issue reported by Narendra Shinde and Red Hat.
27
28Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
29Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
30Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
31Reviewed-by: Adam Jackson <ajax@redhat.com>
32---
33 hw/xfree86/common/xf86Init.c | 8 ++++++--
34 1 file changed, 6 insertions(+), 2 deletions(-)
35
36diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
37index 6c25eda73..0f57efa86 100644
38--- a/hw/xfree86/common/xf86Init.c
39+++ b/hw/xfree86/common/xf86Init.c
40@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
41 /* First the options that are not allowed with elevated privileges */
42 if (!strcmp(argv[i], "-modulepath")) {
43 CHECK_FOR_REQUIRED_ARGUMENT();
44- xf86CheckPrivs(argv[i], argv[i + 1]);
45+ if (xf86PrivsElevated())
46+ FatalError("\nInvalid argument -modulepath "
47+ "with elevated privileges\n");
48 xf86ModulePath = argv[i + 1];
49 xf86ModPathFrom = X_CMDLINE;
50 return 2;
51 }
52 if (!strcmp(argv[i], "-logfile")) {
53 CHECK_FOR_REQUIRED_ARGUMENT();
54- xf86CheckPrivs(argv[i], argv[i + 1]);
55+ if (xf86PrivsElevated())
56+ FatalError("\nInvalid argument -logfile "
57+ "with elevated privileges\n");
58 xf86LogFile = argv[i + 1];
59 xf86LogFileFrom = X_CMDLINE;
60 return 2;
61--
622.18.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.3.bb
index 9fd2e8d870..1caa154a23 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.1.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.3.bb
@@ -3,10 +3,9 @@ require xserver-xorg.inc
3SRC_URI += "file://musl-arm-inb-outb.patch \ 3SRC_URI += "file://musl-arm-inb-outb.patch \
4 file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ 4 file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
5 file://pkgconfig.patch \ 5 file://pkgconfig.patch \
6 file://CVE-2018-14665.patch \
7 " 6 "
8SRC_URI[md5sum] = "e525846d1d0af5732ba835f2e2ec066d" 7SRC_URI[md5sum] = "8ee29e8b24cef6b3cfa747ec01b9155a"
9SRC_URI[sha256sum] = "59c99fe86fe75b8164c6567bfc6e982aecc2e4a51e6fbac1b842d5d00549e918" 8SRC_URI[sha256sum] = "1b3ce466c12cacbe2252b3ad5b0ed561972eef9d09e75900d65fb1e21f9201de"
10 9
11# These extensions are now integrated into the server, so declare the migration 10# These extensions are now integrated into the server, so declare the migration
12# path for in-place upgrades. 11# path for in-place upgrades.