Bug 934102 (CVE-2015-3164)

Summary: VUL-0: CVE-2015-3164: wayland: Unauthorised local client access
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: duwe, eich, msrb
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-06-09 13:24:27 UTC
X.Org/Wayland Security Advisory: June 9th, 2015 - CVE-2015-3164
Unauthorised local client access in XWayland
============================================

Description:
============

Ray Strode, a developer at Red Hat, discovered an authentication setup
issue inside the XWayland compatibility server, used to host X11 clients
inside a Wayland compositor's session. XWayland is used by Weston and
Mutter / GNOME Shell's Wayland mode.

Due to an omission in authentication setup, the XWayland server would
start up in non-authenticating mode, meaning that any client with access
to the server's UNIX socket was able to connect to the server and use it
as a regular client. No Wayland compositor was known to start XWayland
with TCP access open, so remote exploitation is not considered possible.

On many systems, all local users would have full access to the XWayland
server, allowing untrusted users to capture contents of, and input
destined for, other X11 clients.

This permission bypass does not extend to native Wayland clients:
XWayland is not given access to the buffers of any Wayland clients in
the host session, nor is any input sent to XWayland unless an X11
client was active at that time.

The resolution was to restrict XWayland connections to the same UID as
the server itself, matching Wayland's default permissions.

This vulnerability has been assigned CVE-2015-3164.


Affected versions:
==================

The separate XWayland DDX was introduced with version 1.16 of the X.Org
Server release, and this vulnerability has been present in all versions
since. Versions prior to these releases used a separate 'xwayland'
module within the Xorg DDX, which is unaffected by this vulnerability.

All Weston versions since 1.5.0 use the new Xwayland server, as well as
all released Wayland versions of Mutter / GNOME Shell.


Fixes:
======

Fixes are available in the patches for these X server git commits:
c4534a38b68aa07fb82318040dc8154fb48a9588
4b4b9086d02b80549981d205fb1f495edc373538
76636ac12f2d1dbdf7be08222f80e7505d53c451

Which are now available from:
git://anongit.freedesktop.org/git/xorg/xserver
http://cgit.freedesktop.org/xorg/xserver/

Fixes will also be included in the 1.18 series and its release candidates,
as well as the 1.17.2 stable release.

Thanks:
=======

X.Org and the Wayland community thank Ray Strode of Red Hat for reporting
these issues to our security team and developing the fixes.




http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a38b68aa07fb82318040dc8154fb48a9588
http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b9086d02b80549981d205fb1f495edc373538
http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac12f2d1dbdf7be08222f80e7505d53c451


Note... http://seclists.org/oss-sec/2015/q2/359
> Please REJECT CVE-2015-3168, I failed to notice that CVE-2015-3164 was
> already assigned for the issue.
Comment 1 Swamp Workflow Management 2015-06-09 22:00:51 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-06-10 15:36:40 UTC
Public at http://lists.x.org/archives/xorg-announce/2015-June/002611.html
Comment 4 Andreas Stieger 2015-06-12 10:42:26 UTC
XWayland is shipped in openSUSE 13.2 and Tumbleweed.
Comment 5 Stefan Dirsch 2015-06-12 12:37:39 UTC
Yes, I know. We need to patch our Xserver in openSUSE 13.2 and factory.
Comment 6 Michal Srb 2015-06-12 12:55:01 UTC
Submitted to Factory:
https://build.opensuse.org/request/show/311800

And OpenSUSE 13.2:
https://build.opensuse.org/request/show/311803
Comment 7 Swamp Workflow Management 2015-06-22 12:06:33 UTC
openSUSE-SU-2015:1095-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 934102
CVE References: CVE-2015-3164
Sources used:
openSUSE 13.2 (src):    xorg-x11-server-7.6_1.16.1-19.1
Comment 8 Andreas Stieger 2015-06-22 12:13:20 UTC
released, closing