Thread-topic: [SA19307] X.Org X11 User Privilege Checking Security Bypass
>
>
> TITLE:
> X.Org X11 User Privilege Checking Security Bypass
>
> SECUNIA ADVISORY ID:
> SA19307
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Security Bypass
>
> WHERE:
> Local system
>
> SOFTWARE:
> X Window System 11 (X11) 6.x
>
> X Window System 11 (X11) 7.x
>
>
> DESCRIPTION:
> A vulnerability has been reported in X11, which can be exploited by
> malicious, local users to bypass certain security restrictions.
>
> Normally, a non-root user is not allowed to pass arguments to the
> "-logfile" and "-modulepath" command line options. However, an error
> exists when checking a user's privileges as the address of the
> "geteuid()" function is tested and not the result of the function.
> This can be exploited to pass arbitrary arguments to the "-logfile"
> and "-modulepath" options, which allows overwriting of arbitrary
> files or execution of arbitrary code with root privileges.
>
> The vulnerability has been reported in X.Org server 1.0.0 (as shipped
> with X11R7.0) and later, X11R6.9.0 and X11R7.0 (including all release
> candidates). X11R6.8.2 and prior versions are reportedly not
> affected.
>
> SOLUTION:
> -- X.Org Server (X11R7) --
> Apply patch for versions 1.0.0 and 1.0.1 or update to version 1.0.2.
>
> Patches:
>
er-1.0.1-geteuid.diff
> 80db6a3ab76334061ec6102e74ef5607
>
er-1.0.1-geteuid.diff
> 44b44fa3efc63697eefadc7c2a1bfa50a35eec91
>
> -- X.Org Server (X11R6.9) --
>
> Apply patch:
>
> .0-geteuid.diff
> de85e59b8906f76a52ec9162ec6c0b63
>
> .0-geteuid.diff
> f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860
>
> PROVIDED AND/OR DISCOVERED BY:
> Discovered with Coverity Prevent code audit tool and reported by
> vendor.
>
> ORIGINAL ADVISORY:
>
>
