Fwd: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0
archaic at linuxfromscratch.org
Mon Mar 20 13:10:30 PST 2006
----- Forwarded message from Daniel Stone <daniel at fooishbar.org> -----
To: xorg at lists.freedesktop.org
From: Daniel Stone <daniel at fooishbar.org>
Date: Mon, 20 Mar 2006 16:00:58 +0200
Cc: vendor-sec at lst.de, bugtraq at securityfocus.com
Subject: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0
X.Org Security Advisory, March 20th 2006
Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
During the analysis of results from the Coverity code review of X.Org,
we discovered a flaw in the server that allows local users to execute
arbitrary code with root privileges, or cause a denial of service by
overwriting files on the system, again with root privileges.
When parsing arguments, the server takes care to check that only root
can pass the options -modulepath, which determines the location to load
many modules providing server functionality from, and -logfile, which
determines the location of the logfile. Normally, these locations
cannot be changed by unprivileged users.
This test was changed to test the effective UID as well as the real UID
in X.Org. The test is defective in that it tested the address of the
geteuid function, not the result of the function itself. As a result,
given that the address of geteuid() is always non-zero, an unpriviliged
user can load modules from any location on the filesystem with root
privileges, or overwrite critical system files with the server log.
xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.
To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
Alternately, xorg-server 1.0.2 has been released with this and other
Apply the patch below to the X.Org server as distributed with X11R6.9:
We would like to thank Coverity for the use of their Prevent code audit
tool, which discovered this particular flaw.
----- End forwarded message -----
Want control, education, and security from your operating system?
Hardened Linux From Scratch
More information about the lfs-security