X.Org security advisory: October 25, 2018
Privilege escalation and file overwrite in X.Org X server 1.19 and later
=======================================================================
Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).
The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.
The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.
This issue has been assigned CVE-2018-14665
Background
=========
The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.
Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.
Patches
======
A patch for the issue was added to the xserver repository on
October 25, 2018.
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
Workaround
=========
If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary. Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or
variations
thereof.
X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.
Thanks
=====
X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
impacts.
--
Matthieu Herrb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL:
<https://lists.x.org/archives/xorg-announce/attachments/20181025/aeb9ddfc/attachment.sig>
