Bug 1111697 (CVE-2018-14665)

Summary: VUL-0: CVE-2018-14665: xorg-x11-server: Arbitrary File Overwrite Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: bfilho, brad.bendily, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/216593/
Whiteboard: CVSSv3:SUSE:CVE-2018-14665:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2018-14665:6.6:(AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) maint:released:sle10-sp3:64153
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Andreas Stieger 2018-10-12 17:21:08 UTC
The setuid bit removed in SLE/openSUSE packages via bug 632737 in 2010.
SLE 12 and up, Leap 42.x and Leap 15.0 do not have the setuid bit set.
SLE 11 has the setuid bit set.
Comment 3 Marcus Meissner 2018-10-13 14:07:24 UTC
CRD: 2018-10-18 14:00UTC

Date: Sat, 13 Oct 2018 11:51:38 +0200                                                                                                                                                        
From: Matthieu Herrb <matthieu@herrb.eu>                                                                                                                                                     
To: xorg-security@lists.x.org                                                                                                                                                                
Subject: [security-team] [PATCH xserver] Disable -logfile when running with elevated privileges.                                                                                             
X-Mailer: git-send-email 2.19.0                                                                                                                                                              
An unprivileged was able to overwrite arbitrary files                                                                                                                                        
in directories in which it is able to chdir, potentially                                                                                                                                     
leading to privilege elevation.                                                                                                                                                              
Issue reported by Narendra Shinde                                                                                                                                                            
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>                                                                                                                                            
 hw/xfree86/common/xf86Init.c | 4 +++-                                                                                                                                                       
 1 file changed, 3 insertions(+), 1 deletion(-)                                                                                                                                              
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c                                                                                                                     
index 6c25eda73..a3fb06dc6 100644                                                                                                                                                            
--- a/hw/xfree86/common/xf86Init.c                                                                                                                                                           
+++ b/hw/xfree86/common/xf86Init.c                                                                                                                                                           
@@ -942,7 +942,9 @@ ddxProcessArgument(int argc, char **argv, int i)                                                                                                                         
     if (!strcmp(argv[i], "-logfile")) {                                                                                                                                                     
-        xf86CheckPrivs(argv[i], argv[i + 1]);                                                                                                                                               
+        if (xf86PrivsElevated())                                                                                                                                                            
+              FatalError("\nInvalid argument -logfile "                                                                                                                                     
+                "with elevated privileges\n");                                                                                                                                              
         xf86LogFile = argv[i + 1];                                                                                                                                                          
         xf86LogFileFrom = X_CMDLINE;                                                                                                                                                        
         return 2;                                                                                                                                                                           
Comment 4 Stefan Dirsch 2018-10-15 09:53:07 UTC
Ok. I plan to patch

sle10-sp3-x86_64 (LTS/Teradata)
SUSE:SLE-11-SP1:Update (LTS/Teradata)
SUSE:SLE-11-SP3:Update (still supported)

Hope this makes sense.
Comment 5 Stefan Dirsch 2018-10-15 12:38:55 UTC
sle10-sp3-x86_64 --> SR #174689
SUSE:SLE-11-SP1:Update --> SR #174688
SUSE:SLE-11-SP3:Update --> SR #174687

done -> reassigning to security team
Comment 7 Swamp Workflow Management 2018-10-16 12:11:14 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-10-23.
When done, reassign the bug to security-team@suse.de.
Comment 9 Marcus Meissner 2018-10-17 05:37:31 UTC
embargo date was changed to include the other bug

CRD: 2018-10-25
Comment 11 Marcus Meissner 2018-10-25 14:40:43 UTC
public now

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later

Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665


The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.


A patch for the issue was added to the xserver repository on
October 25, 2018.



If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.


X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all

Matthieu Herrb
Comment 12 Swamp Workflow Management 2018-10-25 19:10:08 UTC
SUSE-SU-2018:3456-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1078383,1111697
CVE References: CVE-2018-14665
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xorg-x11-server-7.4-
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-
Comment 18 Marcus Meissner 2018-11-20 14:41:26 UTC