[PATCH] xserver-xorg: fix for CVE-2018-14665

[PATCH] xserver-xorg: fix for CVE-2018-14665

[changqing.li]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 56 ++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
new file mode 100644
index 0000000..5dd6fe0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/
+commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e]
+
+CVE: CVE-2018-14665
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
+ privileges
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ hw/xfree86/common/xf86Init.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
+index 6c25eda73..0f57efa86 100644
+--- a/hw/xfree86/common/xf86Init.c
++++ b/hw/xfree86/common/xf86Init.c
+@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
+     /* First the options that are not allowed with elevated privileges */
+     if (!strcmp(argv[i], "-modulepath")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
++        if (xf86PrivsElevated())
++              FatalError("\nInvalid argument -modulepath "
++                "with elevated privileges\n");
+         xf86ModulePath = argv[i + 1];
+         xf86ModPathFrom = X_CMDLINE;
+         return 2;
+     }
+     if (!strcmp(argv[i], "-logfile")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
++        if (xf86PrivsElevated())
++              FatalError("\nInvalid argument -logfile "
++                "with elevated privileges\n");
+         xf86LogFile = argv[i + 1];
+         xf86LogFileFrom = X_CMDLINE;
+         return 2;
+-- 
+2.18.1
-- 
2.7.4

✗ patchtest: failure for xserver-xorg: fix for CVE-2018-14665

[Patchwork]

== Series Details ==

Series: xserver-xorg: fix for CVE-2018-14665
Revision: 1
URL   : https://patchwork.openembedded.org/series/14767/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 14b5854d50)

* Patch            xserver-xorg: fix for CVE-2018-14665
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [PATCH] xserver-xorg: fix for CVE-2018-14665

[Changqing Li]

Please ignore this patch, I just noticed it is fixed in master.

On 11/2/18 2:09 PM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>   .../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 56 ++++++++++++++++++++++
>   1 file changed, 56 insertions(+)
>   create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> new file mode 100644
> index 0000000..5dd6fe0
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> @@ -0,0 +1,56 @@
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/
> +commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e]
> +
> +CVE: CVE-2018-14665
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +
> +From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
> +From: Matthieu Herrb <matthieu@herrb.eu>
> +Date: Tue, 23 Oct 2018 21:29:08 +0200
> +Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
> + privileges
> +
> +Could cause privilege elevation and/or arbitrary files overwrite, when
> +the X server is running with elevated privileges (ie when Xorg is
> +installed with the setuid bit set and started by a non-root user).
> +
> +CVE-2018-14665
> +
> +Issue reported by Narendra Shinde and Red Hat.
> +
> +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
> +Reviewed-by: Adam Jackson <ajax@redhat.com>
> +---
> + hw/xfree86/common/xf86Init.c | 8 ++++++--
> + 1 file changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
> +index 6c25eda73..0f57efa86 100644
> +--- a/hw/xfree86/common/xf86Init.c
> ++++ b/hw/xfree86/common/xf86Init.c
> +@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
> +     /* First the options that are not allowed with elevated privileges */
> +     if (!strcmp(argv[i], "-modulepath")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -modulepath "
> ++                "with elevated privileges\n");
> +         xf86ModulePath = argv[i + 1];
> +         xf86ModPathFrom = X_CMDLINE;
> +         return 2;
> +     }
> +     if (!strcmp(argv[i], "-logfile")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -logfile "
> ++                "with elevated privileges\n");
> +         xf86LogFile = argv[i + 1];
> +         xf86LogFileFrom = X_CMDLINE;
> +         return 2;
> +--
> +2.18.1

-- 
BRs

Sandy(Li Changqing)

Re: [PATCH] xserver-xorg: fix for CVE-2018-14665

[akuster808]

On 11/1/18 11:09 PM, changqing.li@windriver.com wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>

This should be in the update sitting in master-next. its good for Thud
or we update thud to the later version

- armin

> ---
>  .../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 56 ++++++++++++++++++++++
>  1 file changed, 56 insertions(+)
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> new file mode 100644
> index 0000000..5dd6fe0
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> @@ -0,0 +1,56 @@
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/
> +commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e]
> +
> +CVE: CVE-2018-14665
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +
> +From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
> +From: Matthieu Herrb <matthieu@herrb.eu>
> +Date: Tue, 23 Oct 2018 21:29:08 +0200
> +Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
> + privileges
> +
> +Could cause privilege elevation and/or arbitrary files overwrite, when
> +the X server is running with elevated privileges (ie when Xorg is
> +installed with the setuid bit set and started by a non-root user).
> +
> +CVE-2018-14665
> +
> +Issue reported by Narendra Shinde and Red Hat.
> +
> +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
> +Reviewed-by: Adam Jackson <ajax@redhat.com>
> +---
> + hw/xfree86/common/xf86Init.c | 8 ++++++--
> + 1 file changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
> +index 6c25eda73..0f57efa86 100644
> +--- a/hw/xfree86/common/xf86Init.c
> ++++ b/hw/xfree86/common/xf86Init.c
> +@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
> +     /* First the options that are not allowed with elevated privileges */
> +     if (!strcmp(argv[i], "-modulepath")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -modulepath "
> ++                "with elevated privileges\n");
> +         xf86ModulePath = argv[i + 1];
> +         xf86ModPathFrom = X_CMDLINE;
> +         return 2;
> +     }
> +     if (!strcmp(argv[i], "-logfile")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -logfile "
> ++                "with elevated privileges\n");
> +         xf86LogFile = argv[i + 1];
> +         xf86LogFileFrom = X_CMDLINE;
> +         return 2;
> +-- 
> +2.18.1

Re: [PATCH] xserver-xorg: fix for CVE-2018-14665

[Burton, Ross]

On Fri, 2 Nov 2018 at 16:02, akuster808 <akuster808@gmail.com> wrote:
> This should be in the update sitting in master-next. its good for Thud
> or we update thud to the later version

Thud is literally in QA for release, so it's way too late for an
update.  The CVE patch should be backported for thud, sumo, rocko.

Ross