summaryrefslogtreecommitdiff
path: root/libre/xorg-server/fix-CVE-2015-3164.patch
diff options
context:
space:
mode:
Diffstat (limited to 'libre/xorg-server/fix-CVE-2015-3164.patch')
-rw-r--r--libre/xorg-server/fix-CVE-2015-3164.patch311
1 files changed, 311 insertions, 0 deletions
diff --git a/libre/xorg-server/fix-CVE-2015-3164.patch b/libre/xorg-server/fix-CVE-2015-3164.patch
new file mode 100644
index 000000000..e2ee12973
--- /dev/null
+++ b/libre/xorg-server/fix-CVE-2015-3164.patch
@@ -0,0 +1,311 @@
+From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:42 -0400
+Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]
+
+Xwayland currently allows wide-open access to the X sockets
+it listens on, ignoring Xauth access control.
+
+This commit makes sure to enable access control on the sockets,
+so one user can't snoop on another user's X-over-wayland
+applications.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index 7e8d667..c5bee77 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
+ int i;
+
+ for (i = 0; i < xwl_screen->listen_fd_count; i++)
+- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
++ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
+ }
+
+ static void
+--
+cgit v0.10.2
+From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:43 -0400
+Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3]
+
+If the X server is started without a '-auth' argument, then
+it gets started wide open to all local users on the system.
+
+This isn't a great default access model, but changing it in
+Xorg at this point would break backward compatibility.
+
+Xwayland, on the other hand is new, and much more targeted
+in scope. It could, in theory, be changed to allow the much
+more secure default of a "user who started X server can connect
+clients to that server."
+
+This commit paves the way for that change, by adding a mechanism
+for DDXs to opt-in to that behavior. They merely need to call
+
+LocalAccessScopeUser()
+
+in their init functions.
+
+A subsequent commit will add that call for Xwayland.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/include/os.h b/include/os.h
+index 6638c84..b2b96c8 100644
+--- a/include/os.h
++++ b/include/os.h
+@@ -431,11 +431,28 @@ extern _X_EXPORT void
+ ResetHosts(const char *display);
+
+ extern _X_EXPORT void
++EnableLocalAccess(void);
++
++extern _X_EXPORT void
++DisableLocalAccess(void);
++
++extern _X_EXPORT void
+ EnableLocalHost(void);
+
+ extern _X_EXPORT void
+ DisableLocalHost(void);
+
++#ifndef NO_LOCAL_CLIENT_CRED
++extern _X_EXPORT void
++EnableLocalUser(void);
++
++extern _X_EXPORT void
++DisableLocalUser(void);
++
++extern _X_EXPORT void
++LocalAccessScopeUser(void);
++#endif
++
+ extern _X_EXPORT void
+ AccessUsingXdmcp(void);
+
+diff --git a/os/access.c b/os/access.c
+index 8fa028e..75e7a69 100644
+--- a/os/access.c
++++ b/os/access.c
+@@ -102,6 +102,10 @@ SOFTWARE.
+ #include <sys/ioctl.h>
+ #include <ctype.h>
+
++#ifndef NO_LOCAL_CLIENT_CRED
++#include <pwd.h>
++#endif
++
+ #if defined(TCPCONN) || defined(STREAMSCONN)
+ #include <netinet/in.h>
+ #endif /* TCPCONN || STREAMSCONN */
+@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
+ static int LocalHostRequested = FALSE;
+ static int UsingXdmcp = FALSE;
+
++static enum {
++ LOCAL_ACCESS_SCOPE_HOST = 0,
++#ifndef NO_LOCAL_CLIENT_CRED
++ LOCAL_ACCESS_SCOPE_USER,
++#endif
++} LocalAccessScope;
++
+ /* FamilyServerInterpreted implementation */
+ static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
+ ClientPtr client);
+@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
+ */
+
+ void
++EnableLocalAccess(void)
++{
++ switch (LocalAccessScope) {
++ case LOCAL_ACCESS_SCOPE_HOST:
++ EnableLocalHost();
++ break;
++#ifndef NO_LOCAL_CLIENT_CRED
++ case LOCAL_ACCESS_SCOPE_USER:
++ EnableLocalUser();
++ break;
++#endif
++ }
++}
++
++void
+ EnableLocalHost(void)
+ {
+ if (!UsingXdmcp) {
+@@ -249,6 +275,21 @@ EnableLocalHost(void)
+ * called when authorization is enabled to keep us secure
+ */
+ void
++DisableLocalAccess(void)
++{
++ switch (LocalAccessScope) {
++ case LOCAL_ACCESS_SCOPE_HOST:
++ DisableLocalHost();
++ break;
++#ifndef NO_LOCAL_CLIENT_CRED
++ case LOCAL_ACCESS_SCOPE_USER:
++ DisableLocalUser();
++ break;
++#endif
++ }
++}
++
++void
+ DisableLocalHost(void)
+ {
+ HOST *self;
+@@ -262,6 +303,74 @@ DisableLocalHost(void)
+ }
+ }
+
++#ifndef NO_LOCAL_CLIENT_CRED
++static int GetLocalUserAddr(char **addr)
++{
++ static const char *type = "localuser";
++ static const char delimiter = '\0';
++ static const char *value;
++ struct passwd *pw;
++ int length = -1;
++
++ pw = getpwuid(getuid());
++
++ if (pw == NULL || pw->pw_name == NULL)
++ goto out;
++
++ value = pw->pw_name;
++
++ length = asprintf(addr, "%s%c%s", type, delimiter, value);
++
++ if (length == -1) {
++ goto out;
++ }
++
++ /* Trailing NUL */
++ length++;
++
++out:
++ return length;
++}
++
++void
++EnableLocalUser(void)
++{
++ char *addr = NULL;
++ int length = -1;
++
++ length = GetLocalUserAddr(&addr);
++
++ if (length == -1)
++ return;
++
++ NewHost(FamilyServerInterpreted, addr, length, TRUE);
++
++ free(addr);
++}
++
++void
++DisableLocalUser(void)
++{
++ char *addr = NULL;
++ int length = -1;
++
++ length = GetLocalUserAddr(&addr);
++
++ if (length == -1)
++ return;
++
++ RemoveHost(NULL, FamilyServerInterpreted, length, addr);
++
++ free(addr);
++}
++
++void
++LocalAccessScopeUser(void)
++{
++ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
++}
++#endif
++
+ /*
+ * called at init time when XDMCP will be used; xdmcp always
+ * adds local hosts manually when needed
+diff --git a/os/auth.c b/os/auth.c
+index 5fcb538..7da6fc6 100644
+--- a/os/auth.c
++++ b/os/auth.c
+@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
+
+ /*
+ * If the authorization file has at least one entry for this server,
+- * disable local host access. (loadauth > 0)
++ * disable local access. (loadauth > 0)
+ *
+ * If there are zero entries (either initially or when the
+ * authorization file is later reloaded), or if a valid
+- * authorization file was never loaded, enable local host access.
++ * authorization file was never loaded, enable local access.
+ * (loadauth == 0 || !loaded)
+ *
+ * If the authorization file was loaded initially (with valid
+@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
+ */
+
+ if (loadauth > 0) {
+- DisableLocalHost(); /* got at least one */
++ DisableLocalAccess(); /* got at least one */
+ loaded = TRUE;
+ }
+ else if (loadauth == 0 || !loaded)
+- EnableLocalHost();
++ EnableLocalAccess();
+ }
+ if (name_length) {
+ for (i = 0; i < NUM_AUTHORIZATION; i++) {
+--
+cgit v0.10.2
+From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:44 -0400
+Subject: xwayland: default to local user if no xauth file given.
+ [CVE-2015-3164 3/3]
+
+Right now if "-auth" isn't passed on the command line, we let
+any user on the system connect to the Xwayland server.
+
+That's clearly suboptimal, given Xwayland is generally designed
+to be used by one user at a time.
+
+This commit changes the behavior, so only the user who started the
+X server can connect clients to it.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index c5bee77..bc92beb 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
+ if (AddScreen(xwl_screen_init, argc, argv) == -1) {
+ FatalError("Couldn't add screen\n");
+ }
++
++ LocalAccessScopeUser();
+ }
+--
+cgit v0.10.2
+