lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <596b75860603230931k7579cdffu84efe9e370ac291e@mail.gmail.com>
Date: Thu, 23 Mar 2006 10:31:40 -0700
From: "Kyle Sallee" <kyle.sallee@...il.com>
To: xorg@...ts.freedesktop.org, vendor-sec@....de,
	bugtraq@...urityfocus.com, daniel@...ishbar.org
Subject: Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0


Is  xorg-server-X11R7.0-1.0.1.tar.bz2  also vulnerable.
Will patches for Xservers not be placed in?
ftp://ftp.x.org/pub/X11R7.0/patches/


On 3/20/06, Daniel Stone <daniel@...ishbar.org> wrote:
> X.Org Security Advisory, March 20th 2006
> Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
> and X11R7.0
> CVE-ID: CVE-2006-0745
>
>
> Overview:
>
> During the analysis of results from the Coverity code review of X.Org,
> we discovered a flaw in the server that allows local users to execute
> arbitrary code with root privileges, or cause a denial of service by
> overwriting files on the system, again with root privileges.
>
>
> Vulnerability details:
>
> When parsing arguments, the server takes care to check that only root
> can pass the options -modulepath, which determines the location to load
> many modules providing server functionality from, and -logfile, which
> determines the location of the logfile.  Normally, these locations
> cannot be changed by unprivileged users.
>
> This test was changed to test the effective UID as well as the real UID
> in X.Org.  The test is defective in that it tested the address of the
> geteuid function, not the result of the function itself.  As a result,
> given that the address of geteuid() is always non-zero, an unpriviliged
> user can load modules from any location on the filesystem with root
> privileges, or overwrite critical system files with the server log.
>
>
> Affected versions:
>
> xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
> of X11R7.0, is vulnerable.
> X11R6.9.0, and all release candidates, are vulnerable.
> X11R6.8.2 and earlier versions are not vulnerable.
>
> To check which version you have, run Xorg -version:
> % Xorg -version
> X Window System Version 7.0.0
> Release Date: 21 December 2005
> X Protocol Version 11, Revision 0, Release 7.0
> [...]
>
>
> Fix:
>
> Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
> X11R7 tree:
> 80db6a3ab76334061ec6102e74ef5607          xorg-server-1.0.1-geteuid.diff
> 44b44fa3efc63697eefadc7c2a1bfa50a35eec91  xorg-server-1.0.1-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R7.0/patches/
>
> Alternately, xorg-server 1.0.2 has been released with this and other
> code fixes:
> 5cd3316f07ed32a05cbd69e73a71bc74          xorg-server-1.0.2.tar.bz2
> b2257e984c5111093ca80f1f63a7a9befa20b6c0  xorg-server-1.0.2.tar.bz2
> f44f0f07136791ed7a4028bd0dd5eae3          xorg-server-1.0.2.tar.gz
> 3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3  xorg-server-1.0.2.tar.gz
> http://xorg.freedesktop.org/releases/individual/xserver/
>
> Apply the patch below to the X.Org server as distributed with X11R6.9:
> de85e59b8906f76a52ec9162ec6c0b63          x11r6.9.0-geteuid.diff
> f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860  x11r6.9.0-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R6.9.0/patches/
>
>
> Thanks:
>
> We would like to thank Coverity for the use of their Prevent code audit
> tool, which discovered this particular flaw.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEHrWaRkzMgPKxYGwRAqz8AJ4mIc6kr2tyPcevMGWwIKYCegL/RwCfY7cw
> DuNqH3vnHXhjQIxZdxtECig=
> =vLGw
> -----END PGP SIGNATURE-----
>
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ