Opened 5 years ago

Closed 5 years ago

#11284 closed enhancement (fixed)

xorg-server-1.20.3 (CVE-2018-14665, local file overwrite)

Reported by: Douglas R. Reno Owned by: ken@…
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version. Security release:

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later

Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665


The commit which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.


A patch for the issue was added to the xserver repository on
October 25, 2018.


If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.


X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
Fixes CVE-2018-14665 (local file overwrite bugs), and a trivial fix in
fbdevhw initialization. All users are advised to upgrade. Thanks to
Narendra Shinde and Thomas Hoger for the report, and Matthieu Herrb for
the fix.

Adam Jackson (1):
      xserver 1.20.3

Matthieu Herrb (2):
      Disable -logfile and -modulepath when running with elevated privileges
      LogFilePrep: add a comment to the unsafe format string.

Peter Hutterer (1):
      xfree86: fix readlink call

Change History (4)

comment:2 by Douglas R. Reno, 5 years ago

From Twitter:


#CVE-2018-14665 - a LPE exploit via fits in a tweet

cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1; su

Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected."

comment:3 by ken@…, 5 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:4 by ken@…, 5 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.