Bug 1111697 - (CVE-2018-14665) VUL-0: CVE-2018-14665: xorg-x11-server: Arbitrary File Overwrite Vulnerability
(CVE-2018-14665)
VUL-0: CVE-2018-14665: xorg-x11-server: Arbitrary File Overwrite Vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/216593/
CVSSv3:SUSE:CVE-2018-14665:8.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-12 17:13 UTC by Andreas Stieger
Modified: 2018-11-20 14:41 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Andreas Stieger 2018-10-12 17:21:08 UTC
The setuid bit removed in SLE/openSUSE packages via bug 632737 in 2010.
SLE 12 and up, Leap 42.x and Leap 15.0 do not have the setuid bit set.
SLE 11 has the setuid bit set.
Comment 3 Marcus Meissner 2018-10-13 14:07:24 UTC
CRD: 2018-10-18 14:00UTC

Date: Sat, 13 Oct 2018 11:51:38 +0200                                                                                                                                                        
From: Matthieu Herrb <matthieu@herrb.eu>                                                                                                                                                     
To: xorg-security@lists.x.org                                                                                                                                                                
Subject: [security-team] [PATCH xserver] Disable -logfile when running with elevated privileges.                                                                                             
X-Mailer: git-send-email 2.19.0                                                                                                                                                              
                                                                                                                                                                                             
An unprivileged was able to overwrite arbitrary files                                                                                                                                        
in directories in which it is able to chdir, potentially                                                                                                                                     
leading to privilege elevation.                                                                                                                                                              
                                                                                                                                                                                             
CVE-2018-14665                                                                                                                                                                               
                                                                                                                                                                                             
Issue reported by Narendra Shinde                                                                                                                                                            
                                                                                                                                                                                             
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>                                                                                                                                            
---                                                                                                                                                                                          
 hw/xfree86/common/xf86Init.c | 4 +++-                                                                                                                                                       
 1 file changed, 3 insertions(+), 1 deletion(-)                                                                                                                                              
                                                                                                                                                                                             
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c                                                                                                                     
index 6c25eda73..a3fb06dc6 100644                                                                                                                                                            
--- a/hw/xfree86/common/xf86Init.c                                                                                                                                                           
+++ b/hw/xfree86/common/xf86Init.c                                                                                                                                                           
@@ -942,7 +942,9 @@ ddxProcessArgument(int argc, char **argv, int i)                                                                                                                         
     }                                                                                                                                                                                       
     if (!strcmp(argv[i], "-logfile")) {                                                                                                                                                     
         CHECK_FOR_REQUIRED_ARGUMENT();                                                                                                                                                      
-        xf86CheckPrivs(argv[i], argv[i + 1]);                                                                                                                                               
+        if (xf86PrivsElevated())                                                                                                                                                            
+              FatalError("\nInvalid argument -logfile "                                                                                                                                     
+                "with elevated privileges\n");                                                                                                                                              
         xf86LogFile = argv[i + 1];                                                                                                                                                          
         xf86LogFileFrom = X_CMDLINE;                                                                                                                                                        
         return 2;                                                                                                                                                                           
--                                                                                                                                                                                           
2.19.0
Comment 4 Stefan Dirsch 2018-10-15 09:53:07 UTC
Ok. I plan to patch

sle10-sp3-x86_64 (LTS/Teradata)
SUSE:SLE-11-SP1:Update (LTS/Teradata)
SUSE:SLE-11-SP3:Update (still supported)

Hope this makes sense.
Comment 5 Stefan Dirsch 2018-10-15 12:38:55 UTC
sle10-sp3-x86_64 --> SR #174689
SUSE:SLE-11-SP1:Update --> SR #174688
SUSE:SLE-11-SP3:Update --> SR #174687

done -> reassigning to security team
Comment 7 Swamp Workflow Management 2018-10-16 12:11:14 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-10-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64152
Comment 9 Marcus Meissner 2018-10-17 05:37:31 UTC
embargo date was changed to include the other bug

CRD: 2018-10-25
Comment 11 Marcus Meissner 2018-10-25 14:40:43 UTC
public now

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later
========================================================================

Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665

Background
==========

The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.

Patches
=======

A patch for the issue was added to the xserver repository on
October 25, 2018.

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

Workaround
==========

If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations
thereof.

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.

Thanks
======

X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
impacts.

-- 
Matthieu Herrb
Comment 12 Swamp Workflow Management 2018-10-25 19:10:08 UTC
SUSE-SU-2018:3456-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1078383,1111697
CVE References: CVE-2018-14665
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-27.122.21.1
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-27.122.21.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xorg-x11-server-7.4-27.122.21.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.21.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.21.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.21.1
Comment 18 Marcus Meissner 2018-11-20 14:41:26 UTC
released