| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Mar 2006 10:31:40 -0700 From: "Kyle Sallee" <kyle.sallee@...il.com> To: xorg@...ts.freedesktop.org, vendor-sec@....de, bugtraq@...urityfocus.com, daniel@...ishbar.org Subject: Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 Is xorg-server-X11R7.0-1.0.1.tar.bz2 also vulnerable. Will patches for Xservers not be placed in? ftp://ftp.x.org/pub/X11R7.0/patches/ On 3/20/06, Daniel Stone <daniel@...ishbar.org> wrote: > X.Org Security Advisory, March 20th 2006 > Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0 > and X11R7.0 > CVE-ID: CVE-2006-0745 > > > Overview: > > During the analysis of results from the Coverity code review of X.Org, > we discovered a flaw in the server that allows local users to execute > arbitrary code with root privileges, or cause a denial of service by > overwriting files on the system, again with root privileges. > > > Vulnerability details: > > When parsing arguments, the server takes care to check that only root > can pass the options -modulepath, which determines the location to load > many modules providing server functionality from, and -logfile, which > determines the location of the logfile. Normally, these locations > cannot be changed by unprivileged users. > > This test was changed to test the effective UID as well as the real UID > in X.Org. The test is defective in that it tested the address of the > geteuid function, not the result of the function itself. As a result, > given that the address of geteuid() is always non-zero, an unpriviliged > user can load modules from any location on the filesystem with root > privileges, or overwrite critical system files with the server log. > > > Affected versions: > > xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates > of X11R7.0, is vulnerable. > X11R6.9.0, and all release candidates, are vulnerable. > X11R6.8.2 and earlier versions are not vulnerable. > > To check which version you have, run Xorg -version: > % Xorg -version > X Window System Version 7.0.0 > Release Date: 21 December 2005 > X Protocol Version 11, Revision 0, Release 7.0 > [...] > > > Fix: > > Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular > X11R7 tree: > 80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff > 44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diff > http://xorg.freedesktop.org/releases/X11R7.0/patches/ > > Alternately, xorg-server 1.0.2 has been released with this and other > code fixes: > 5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2 > b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2 > f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz > 3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gz > http://xorg.freedesktop.org/releases/individual/xserver/ > > Apply the patch below to the X.Org server as distributed with X11R6.9: > de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff > f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diff > http://xorg.freedesktop.org/releases/X11R6.9.0/patches/ > > > Thanks: > > We would like to thank Coverity for the use of their Prevent code audit > tool, which discovered this particular flaw. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQFEHrWaRkzMgPKxYGwRAqz8AJ4mIc6kr2tyPcevMGWwIKYCegL/RwCfY7cw > DuNqH3vnHXhjQIxZdxtECig= > =vLGw > -----END PGP SIGNATURE----- > > >
Powered by blists - more mailing lists