poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch - openbmc/openbmc - Gitiles

 Incorrect command-line parameter validation in the Xorg X server can lead to
 privilege elevation and/or arbitrary files overwrite, when the X server is
 running with elevated privileges (ie when Xorg is installed with the setuid bit
 set and started by a non-root user). The -modulepath argument can be used to
 specify an insecure path to modules that are going to be loaded in the X server,
 allowing to execute unprivileged code in the privileged process. The -logfile
 argument can be used to overwrite arbitrary files in the file system, due to
 incorrect checks in the parsing of the option.

 CVE: CVE-2018-14665
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@intel.com>

 From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Tue, 23 Oct 2018 21:29:08 +0200
 Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
  privileges

 Could cause privilege elevation and/or arbitrary files overwrite, when
 the X server is running with elevated privileges (ie when Xorg is
 installed with the setuid bit set and started by a non-root user).

 CVE-2018-14665

 Issue reported by Narendra Shinde and Red Hat.

 Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 ---
  hw/xfree86/common/xf86Init.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

 diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
 index 6c25eda73..0f57efa86 100644
 --- a/hw/xfree86/common/xf86Init.c
 +++ b/hw/xfree86/common/xf86Init.c
 @@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
      /* First the options that are not allowed with elevated privileges */
      if (!strcmp(argv[i], "-modulepath")) {
          CHECK_FOR_REQUIRED_ARGUMENT();
 -        xf86CheckPrivs(argv[i], argv[i + 1]);
 +        if (xf86PrivsElevated())
 +              FatalError("\nInvalid argument -modulepath "
 +                "with elevated privileges\n");
          xf86ModulePath = argv[i + 1];
          xf86ModPathFrom = X_CMDLINE;
          return 2;
      }
      if (!strcmp(argv[i], "-logfile")) {
          CHECK_FOR_REQUIRED_ARGUMENT();
 -        xf86CheckPrivs(argv[i], argv[i + 1]);
 +        if (xf86PrivsElevated())
 +              FatalError("\nInvalid argument -logfile "
 +                "with elevated privileges\n");
          xf86LogFile = argv[i + 1];
          xf86LogFileFrom = X_CMDLINE;
          return 2;
 --
 2.18.1
	Incorrect command-line parameter validation in the Xorg X server can lead to
	privilege elevation and/or arbitrary files overwrite, when the X server is
	running with elevated privileges (ie when Xorg is installed with the setuid bit
	set and started by a non-root user). The -modulepath argument can be used to
	specify an insecure path to modules that are going to be loaded in the X server,
	allowing to execute unprivileged code in the privileged process. The -logfile
	argument can be used to overwrite arbitrary files in the file system, due to
	incorrect checks in the parsing of the option.

	CVE: CVE-2018-14665
	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@intel.com>

	From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
	From: Matthieu Herrb <matthieu@herrb.eu>
	Date: Tue, 23 Oct 2018 21:29:08 +0200
	Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
	privileges

	Could cause privilege elevation and/or arbitrary files overwrite, when
	the X server is running with elevated privileges (ie when Xorg is
	installed with the setuid bit set and started by a non-root user).

	CVE-2018-14665

	Issue reported by Narendra Shinde and Red Hat.

	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	Reviewed-by: Adam Jackson <ajax@redhat.com>
	---
	hw/xfree86/common/xf86Init.c \| 8 ++++++--
	1 file changed, 6 insertions(+), 2 deletions(-)

	diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
	index 6c25eda73..0f57efa86 100644
	--- a/hw/xfree86/common/xf86Init.c
	+++ b/hw/xfree86/common/xf86Init.c
	@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
	/* First the options that are not allowed with elevated privileges */
	if (!strcmp(argv[i], "-modulepath")) {
	CHECK_FOR_REQUIRED_ARGUMENT();
	- xf86CheckPrivs(argv[i], argv[i + 1]);
	+ if (xf86PrivsElevated())
	+ FatalError("\nInvalid argument -modulepath "
	+ "with elevated privileges\n");
	xf86ModulePath = argv[i + 1];
	xf86ModPathFrom = X_CMDLINE;
	return 2;
	}
	if (!strcmp(argv[i], "-logfile")) {
	CHECK_FOR_REQUIRED_ARGUMENT();
	- xf86CheckPrivs(argv[i], argv[i + 1]);
	+ if (xf86PrivsElevated())
	+ FatalError("\nInvalid argument -logfile "
	+ "with elevated privileges\n");
	xf86LogFile = argv[i + 1];
	xf86LogFileFrom = X_CMDLINE;
	return 2;
	--
	2.18.1