|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2018-14665: xorg-x11-server: Arbitrary File Overwrite Vulnerability | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Andreas Stieger <astieger> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | bfilho, brad.bendily, meissner, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/216593/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2018-14665:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2018-14665:6.6:(AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) maint:released:sle10-sp3:64153 | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Comment 2
Andreas Stieger
2018-10-12 17:21:08 UTC
CRD: 2018-10-18 14:00UTC Date: Sat, 13 Oct 2018 11:51:38 +0200 From: Matthieu Herrb <matthieu@herrb.eu> To: xorg-security@lists.x.org Subject: [security-team] [PATCH xserver] Disable -logfile when running with elevated privileges. X-Mailer: git-send-email 2.19.0 An unprivileged was able to overwrite arbitrary files in directories in which it is able to chdir, potentially leading to privilege elevation. CVE-2018-14665 Issue reported by Narendra Shinde Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> --- hw/xfree86/common/xf86Init.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c index 6c25eda73..a3fb06dc6 100644 --- a/hw/xfree86/common/xf86Init.c +++ b/hw/xfree86/common/xf86Init.c @@ -942,7 +942,9 @@ ddxProcessArgument(int argc, char **argv, int i) } if (!strcmp(argv[i], "-logfile")) { CHECK_FOR_REQUIRED_ARGUMENT(); - xf86CheckPrivs(argv[i], argv[i + 1]); + if (xf86PrivsElevated()) + FatalError("\nInvalid argument -logfile " + "with elevated privileges\n"); xf86LogFile = argv[i + 1]; xf86LogFileFrom = X_CMDLINE; return 2; -- 2.19.0 Ok. I plan to patch sle10-sp3-x86_64 (LTS/Teradata) SUSE:SLE-11-SP1:Update (LTS/Teradata) SUSE:SLE-11-SP3:Update (still supported) Hope this makes sense. sle10-sp3-x86_64 --> SR #174689 SUSE:SLE-11-SP1:Update --> SR #174688 SUSE:SLE-11-SP3:Update --> SR #174687 done -> reassigning to security team An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-10-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64152 embargo date was changed to include the other bug CRD: 2018-10-25 public now X.Org security advisory: October 25, 2018 Privilege escalation and file overwrite in X.Org X server 1.19 and later ======================================================================== Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user). The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process. The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option. This issue has been assigned CVE-2018-14665 Background ========== The commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above. Overwriting /etc/shadow with -logfile can also lead to privilege elevation since it's possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems. Patches ======= A patch for the issue was added to the xserver repository on October 25, 2018. https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Workaround ========== If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the 'startx', 'xinit' commands or variations thereof. X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid. Thanks ====== X.Org thanks Narendra Shinde who discovered and reported the issue, and the Red Hat Product Security Team who helped understand all impacts. -- Matthieu Herrb SUSE-SU-2018:3456-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1078383,1111697 CVE References: CVE-2018-14665 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xorg-x11-server-7.4-27.122.21.1 SUSE Linux Enterprise Server 11-SP4 (src): xorg-x11-server-7.4-27.122.21.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): xorg-x11-server-7.4-27.122.21.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): xorg-x11-server-7.4-27.122.21.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xorg-x11-server-7.4-27.122.21.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xorg-x11-server-7.4-27.122.21.1 released |