Opened 17 years ago

Closed 17 years ago

#2100 closed defect (fixed)

Xorg Security Vulnerabilities

Reported by: dnicholson@… Owned by: dnicholson@…
Priority: high Milestone: 6.2.0
Component: BOOK Version: SVN
Severity: major Keywords: xorg modular security
Cc: lfs-dev@…


There are currently some fixes released by Xorg for vulnerabilities in Xorg-6.9.0 and Xorg-7.1. They are here:

The first two 6.9.0 patches are already addressed with sed's in the book. These same problems are included in Xorg-7.1. The new setuid() problem is tricky.

It is a large patch on 6.9.0. I've created a rollup patch for 6.9.0 containing the first two patches, too. I haven't submitted them yet.

The more difficult part is 7.1 because of our book layout. Currently, you are expected to just install all the packages in series. These patches would break up the flow. Would it be enough to include the patch on the page, e.g. this patch on the lib page. This implies that we expect the user to apply the patch to the appropriate package.

Attachments (1)

xorg-7.1-security.diff (5.1 KB ) - added by dnicholson@… 17 years ago.
Patches for modular xorg-7.1

Download all attachments as: .zip

Change History (12)

comment:1 by dnicholson@…, 17 years ago

Owner: changed from blfs-book@… to dnicholson@…
Status: newassigned

I submitted the patches. They are the *-setuid-1.patch and *-security-1.patch patches here:

comment:2 by dnicholson@…, 17 years ago

Xorg-6.9.0 is fixed in r6280. Now the trickier one is 7.1. I'll attach my first attempt now. It doesn't look real good, but I couldn't think of anything better. Suggestions welcome.

by dnicholson@…, 17 years ago

Attachment: xorg-7.1-security.diff added

Patches for modular xorg-7.1

comment:3 by dnicholson@…, 17 years ago

No one has commented. Fixes going in.

comment:4 by dnicholson@…, 17 years ago

Resolution: fixed
Status: assignedclosed

Fixed in r6281.

comment:5 by dnicholson@…, 17 years ago

Resolution: fixed
Status: closedreopened

Reopening. There's also some fixes that were made to xterm. Unfortunately, they are in versions 214 and 215 which aren't in the book.

I would prefer to just upgrade to xterm-215 at least, or the most current 218. The development of xterm is decoupled from Xorg-7.x. I know the decision was that the modular package versions should stay set between Xorg versions. However, things like xterm and libdrm are developed outside of the Xorg tree and are unlikely to be affected by Xorg development.

However, I'll create a backport patch if people prefer not to go this way. Here's the CHANGELOG for xterm, FWIW. The relevant setgid/setuid changes are in Patches 214 and 215.

comment:6 by Randy McMurchy, 17 years ago

Keeping xterm and libdrm up to current revs is probably the right thing to do because they've been decoupled. However, Xterm should probably be moved to "General Utilities" and libdrm should probably be moved to "General Libraries" or "Graphics Libraries" (whichever is the better fit).

This has been discussed and I believe the general concensus was to move them out of the Xorg section and into the appropriate sections.

If this bug needs to be closed because it is fixed except for moving the two packages, please open a new bug about moving them.

comment:7 by dnicholson@…, 17 years ago

Actually, the opposite happened. Xterm was in system utilities, I think. And libdrm was in X Libraries, I think. It was decided that they should be moved under the Xorg-7 version because they're otherwise shipped with Xorg-6 and XFree86. Same goes for MesaLib and rman.

I think they should be moved back to the more general locations like you say. Then the four of them would need notes saying they aren't needed if you installed Xorg-6 or XFree86. There's also the issue of the unmaintained Luit in the Xorg tree vs. Tom Dickey's Luit that Alexander brought up, but that can be dealt with later.

If you think moving them out of the Xorg-7 chapter with notes is the right way to go, I'll create new tickets for that and close this one.

comment:8 by Randy McMurchy, 17 years ago

As far as the difference between "General Utilities" and "System Utilities", I believe (personal opinion) is that "System Utilities" should pertain to managing, discovering or manipulating system hardware, or managing system events. Everything else should probably be in "General Utilities". Hence, I believe packages such as Pkgconfig and Ant are in the wrong area. It is a fine gray line however.

I cannot really provide good guidance on the other packages as I have never looked at, nor installed Xorg7. But Xterm is one that probably should be moved.

I believe a new ticket should be initiated, and perhaps one more discussion (though recently only Randy, Bruce and Dan really contribute to any discussions pertaining to book changes any more) on -dev should be started.

However, I can go any way with this. If you just want to make a 'command decision' and run with it, Dan, feel free. :-)

comment:9 by dnicholson@…, 17 years ago

Cc: lfs-dev@… added
Keywords: xorg modular security added

General vs. System Utilities isn't a big deal to me. General sounds OK to me.

As you say, me, you and Bruce are really the only ones active right now. But, since DJ has put 90% of the effort into Xorg-7, I'm gonna give it the rest of the day to see if he wants to weigh in. CCing his non-LFS address.

I'll probably start working on the changes locally until DJ, Bruce, and/or anyone else states their opinion.

comment:10 by dnicholson@…, 17 years ago

OK. No word from DJ. I'm gonna start moving xterm to general utilities, MesaLib to X libraries, libdrm to general libraries, and rman to general utilities. I'll open a new bug for the movement. I'll close this bug when xterm is updated.

comment:11 by dnicholson@…, 17 years ago

Resolution: fixed
Status: reopenedclosed

Updated to xterm-218 that contains the fix for the setuid() vulnerability. Fixed in r6291.

Note: See TracTickets for help on using tickets.