| Incorrect command-line parameter validation in the Xorg X server can lead to |
| privilege elevation and/or arbitrary files overwrite, when the X server is |
| running with elevated privileges (ie when Xorg is installed with the setuid bit |
| set and started by a non-root user). The -modulepath argument can be used to |
| specify an insecure path to modules that are going to be loaded in the X server, |
| allowing to execute unprivileged code in the privileged process. The -logfile |
| argument can be used to overwrite arbitrary files in the file system, due to |
| incorrect checks in the parsing of the option. |
| |
| CVE: CVE-2018-14665 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| |
| From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001 |
| From: Matthieu Herrb <matthieu@herrb.eu> |
| Date: Tue, 23 Oct 2018 21:29:08 +0200 |
| Subject: [PATCH] Disable -logfile and -modulepath when running with elevated |
| privileges |
| |
| Could cause privilege elevation and/or arbitrary files overwrite, when |
| the X server is running with elevated privileges (ie when Xorg is |
| installed with the setuid bit set and started by a non-root user). |
| |
| CVE-2018-14665 |
| |
| Issue reported by Narendra Shinde and Red Hat. |
| |
| Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
| Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| Reviewed-by: Adam Jackson <ajax@redhat.com> |
| --- |
| hw/xfree86/common/xf86Init.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c |
| index 6c25eda73..0f57efa86 100644 |
| --- a/hw/xfree86/common/xf86Init.c |
| +++ b/hw/xfree86/common/xf86Init.c |
| @@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i) |
| /* First the options that are not allowed with elevated privileges */ |
| if (!strcmp(argv[i], "-modulepath")) { |
| CHECK_FOR_REQUIRED_ARGUMENT(); |
| - xf86CheckPrivs(argv[i], argv[i + 1]); |
| + if (xf86PrivsElevated()) |
| + FatalError("\nInvalid argument -modulepath " |
| + "with elevated privileges\n"); |
| xf86ModulePath = argv[i + 1]; |
| xf86ModPathFrom = X_CMDLINE; |
| return 2; |
| } |
| if (!strcmp(argv[i], "-logfile")) { |
| CHECK_FOR_REQUIRED_ARGUMENT(); |
| - xf86CheckPrivs(argv[i], argv[i + 1]); |
| + if (xf86PrivsElevated()) |
| + FatalError("\nInvalid argument -logfile " |
| + "with elevated privileges\n"); |
| xf86LogFile = argv[i + 1]; |
| xf86LogFileFrom = X_CMDLINE; |
| return 2; |
| -- |
| 2.18.1 |