Daniel Stone
2015-Jun-10 15:06 UTC
X.Org/Wayland Security Advisory: Missing authentication in XWayland
X.Org/Wayland Security Advisory: June 10th, 2015 - CVE-2015-3164 Unauthorised local client access in XWayland =========================================== Description: =========== Ray Strode, a developer at Red Hat, discovered an authentication setup issue inside the XWayland compatibility server, used to host X11 clients inside a Wayland compositor's session. XWayland is used by Weston and Mutter / GNOME Shell's Wayland mode. Due to an omission in authentication setup, the XWayland server would start up in non-authenticating mode, meaning that any client with access to the server's UNIX socket was able to connect to the server and use it as a regular client. No Wayland compositor was known to start XWayland with TCP access open, so remote exploitation is not considered possible. On many systems, all local users would have full access to the XWayland server, allowing untrusted users to capture contents of, and input destined for, other X11 clients. This permission bypass does not extend to native Wayland clients: XWayland is not given access to the buffers of any Wayland clients in the host session, nor is any input sent to XWayland unless an X11 client was active at that time. The resolution was to restrict XWayland connections to the same UID as the server itself, matching Wayland's default permissions. This vulnerability has been assigned CVE-2015-3164. Affected versions: ================= The separate XWayland DDX was introduced with version 1.16 of the X.Org Server release, and this vulnerability has been present in all versions since. Versions prior to these releases used a separate 'xwayland' module within the Xorg DDX, which is unaffected by this vulnerability. All Weston versions since 1.5.0 use the new Xwayland server, as well as all released Wayland versions of Mutter / GNOME Shell. Fixes: ===== Fixes are available in the patches for these X server git commits: c4534a38b68aa07fb82318040dc8154fb48a9588 4b4b9086d02b80549981d205fb1f495edc373538 76636ac12f2d1dbdf7be08222f80e7505d53c451 Which are now available from: git://anongit.freedesktop.org/git/xorg/xserver cgit.freedesktop.org/xorg/xserver Fixes will also be included in the 1.18 series and its release candidates, as well as the 1.17.2 stable release. Thanks: ====== X.Org and the Wayland community thank Ray Strode of Red Hat for reporting these issues to our security team and developing the fixes.
Reasonably Related Threads
- [ANNOUNCE] xwayland 23.1.99.901 (aka Xwayland 23.2.0 rc1)
- [ANNOUNCE] xwayland 23.1.0
- [Bug 104222] New: GNOME/Wayland desktop freezes when resizing Firefox window
- [ANNOUNCE] xorg-server 1.17.2
- [Bug 110669] New: iMac with GK107M unstable - hangs with xorg / crashes with xwayland
Wisdom of the Ancients
