[OE-core] [PATCH] xserver-xorg: fix for CVE-2018-14665

Fri Nov 2 16:01:49 UTC 2018

On 11/1/18 11:09 PM, changqing.li at windriver.com wrote:
> From: Changqing Li <changqing.li at windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li at windriver.com>

This should be in the update sitting in master-next. its good for Thud
or we update thud to the later version

- armin

> ---
>  .../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 56 ++++++++++++++++++++++
>  1 file changed, 56 insertions(+)
>  create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
>
> diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> new file mode 100644
> index 0000000..5dd6fe0
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
> @@ -0,0 +1,56 @@
> +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/
> +commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e]
> +
> +CVE: CVE-2018-14665
> +
> +Signed-off-by: Changqing Li <changqing.li at windriver.com>
> +
> +From 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e Mon Sep 17 00:00:00 2001
> +From: Matthieu Herrb <matthieu at herrb.eu>
> +Date: Tue, 23 Oct 2018 21:29:08 +0200
> +Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
> + privileges
> +
> +Could cause privilege elevation and/or arbitrary files overwrite, when
> +the X server is running with elevated privileges (ie when Xorg is
> +installed with the setuid bit set and started by a non-root user).
> +
> +CVE-2018-14665
> +
> +Issue reported by Narendra Shinde and Red Hat.
> +
> +Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
> +Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> +Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
> +Reviewed-by: Adam Jackson <ajax at redhat.com>
> +---
> + hw/xfree86/common/xf86Init.c | 8 ++++++--
> + 1 file changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
> +index 6c25eda73..0f57efa86 100644
> +--- a/hw/xfree86/common/xf86Init.c
> ++++ b/hw/xfree86/common/xf86Init.c
> +@@ -935,14 +935,18 @@ ddxProcessArgument(int argc, char **argv, int i)
> +     /* First the options that are not allowed with elevated privileges */
> +     if (!strcmp(argv[i], "-modulepath")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -modulepath "
> ++                "with elevated privileges\n");
> +         xf86ModulePath = argv[i + 1];
> +         xf86ModPathFrom = X_CMDLINE;
> +         return 2;
> +     }
> +     if (!strcmp(argv[i], "-logfile")) {
> +         CHECK_FOR_REQUIRED_ARGUMENT();
> +-        xf86CheckPrivs(argv[i], argv[i + 1]);
> ++        if (xf86PrivsElevated())
> ++              FatalError("\nInvalid argument -logfile "
> ++                "with elevated privileges\n");
> +         xf86LogFile = argv[i + 1];
> +         xf86LogFileFrom = X_CMDLINE;
> +         return 2;
> +-- 
> +2.18.1