Opened 6 years ago
Closed 6 years ago
#11284 closed enhancement (fixed)
xorg-server-1.20.3 (CVE-2018-14665, local file overwrite)
| Reported by: | Douglas R. Reno | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | 8.4 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version. Security release:
X.Org security advisory: October 25, 2018 Privilege escalation and file overwrite in X.Org X server 1.19 and later ======================================================================== Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user). The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process. The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option. This issue has been assigned CVE-2018-14665 Background ========== The commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above. Overwriting /etc/shadow with -logfile can also lead to privilege elevation since it's possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems. Patches ======= A patch for the issue was added to the xserver repository on October 25, 2018. https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Workaround ========== If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the 'startx', 'xinit' commands or variations thereof. X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid. Thanks ====== X.Org thanks Narendra Shinde who discovered and reported the issue, and the Red Hat Product Security Team who helped understand all impacts.
Fixes CVE-2018-14665 (local file overwrite bugs), and a trivial fix in
fbdevhw initialization. All users are advised to upgrade. Thanks to
Narendra Shinde and Thomas Hoger for the report, and Matthieu Herrb for
the fix.
Adam Jackson (1):
xserver 1.20.3
Matthieu Herrb (2):
Disable -logfile and -modulepath when running with elevated privileges
LogFilePrep: add a comment to the unsafe format string.
Peter Hutterer (1):
xfree86: fix readlink call
Change History (4)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
From Twitter:
"@hackerfantastic
#CVE-2018-14665 - a LPE exploit via X.org fits in a tweet
cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1; su
Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected."
comment:3 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
Guys, we should probably patch this sooner rather than later.
https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/ https://it.slashdot.org/story/18/10/26/2112214/trivial-bug-in-xorg-server-gives-root-permissions-on-linux-bsd-systems
It's getting media attention.