:: scan.coverity.com : Accelerating Open Source Quality ::

MAIN	SCAN LADDER FAQ	AMANDA CHART
ABOUT SCAN	RUNG 2 - 11 Projects	SAMBA CHART
FAQ	RUNG 1 - 86 Projects
DEVELOPER FAQ	RUNG 0 - 173 Projects
	ALL PROJECTS	POLICY STATEMENT

X.Org Security Advisory

X.Org Security Advisory, March 20th 2006 Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0 and X11R7.0
CVE-ID: CVE-2006-0745

Overview:

During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root privileges.

Vulnerability details:

When parsing arguments, the server takes care to check that only root can pass the options -modulepath, which determines the location to load many modules providing server functionality from, and -logfile, which determines the location of the logfile. Normally, these locations cannot be changed by unprivileged users.

This test was changed to test the effective UID as well as the real UID in X.Org. The test is defective in that it tested the address of the geteuid function, not the result of the function itself. As a result, given that the address of geteuid() is always non-zero, an unpriviliged user can load modules from any location on the filesystem with root privileges, or overwrite critical system files with the server log.

Affected versions:

xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0 [...]

Fix:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:
80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diff http://xorg.freedesktop.org/releases/X11R7.0/patches/

Alternately, xorg-server 1.0.2 has been released with this and other code fixes:
5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gz http://xorg.freedesktop.org/releases/individual/xserver/

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diff http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

Thanks:

We would like to thank Coverity for the use of their Prevent code audit tool, which discovered this particular flaw.
_______________________________________________
xorg mailing list
xorg@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/xorg


	“COVERITY'S STATIC SOURCE CODE ANALYSIS HAS PROVEN TO BE AN EFFECTIVE STEP TOWARDS FURTHERING THE QUALITY AND SECURITY OF LINUX.”


	ANDREW MORTON, LEAD KERNEL MAINTAINER

NEWS

Scan now open to Java projects

Scan Expanded with Graphics Software at Libre Graphics Meeting

Scan Expanded to 150 projects on its anniversary

Happy First Birthday, Scan

Coverity Names David Maxwell as Open Source Strategist

Coverity detects a security hole in X Windows that allows any user with a login to gain root privileges

Amanda releases major version (2.5) of the popular backup and recovery software with milestone of 0 Coverity defects

Scan.coverity.com results in over 1000 patches to projects in the first few weeks

Coverity Study Ranks LAMP Code Quality

DHS Funds Open-Source Security Project