Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:Factory checked in at 2015-06-17 16:15:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old) and /work/SRC/openSUSE:Factory/.xorg-x11-server.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server" Changes: -------- --- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes 2015-06-10 09:15:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xorg-x11-server.new/xorg-x11-server.changes 2015-06-17 16:15:22.000000000 +0200 @@ -1,0 +2,8 @@ +Fri Jun 12 11:58:43 UTC 2015 - [email protected] + +- U_os-support-new-implicit-local-user-access-mode.patch, + U_xwayland-default-to-local-user-if-no-xauth-file-given.patch, + U_xwayland-enable-access-control-on-open-socket.patch + * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164) + +------------------------------------------------------------------- New: ---- U_os-support-new-implicit-local-user-access-mode.patch U_xwayland-default-to-local-user-if-no-xauth-file-given.patch U_xwayland-enable-access-control-on-open-socket.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.faEa5v/_old 2015-06-17 16:15:23.000000000 +0200 +++ /var/tmp/diff_new_pack.faEa5v/_new 2015-06-17 16:15:23.000000000 +0200 @@ -168,6 +168,12 @@ Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch Patch117: xorg-x11-server-byte-order.patch Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch +# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 [email protected] -- Fix CVE-2015-3164 +Patch119: U_xwayland-enable-access-control-on-open-socket.patch +# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 [email protected] -- Fix CVE-2015-3164 +Patch120: U_os-support-new-implicit-local-user-access-mode.patch +# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 [email protected] -- Fix CVE-2015-3164 +Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch Patch1000: n_xserver-optimus-autoconfig-hack.patch @@ -265,6 +271,9 @@ %patch116 -p1 %patch117 -p1 %patch118 -p1 +%patch119 -p1 +%patch120 -p1 +%patch121 -p1 %patch1000 -p1 ++++++ U_os-support-new-implicit-local-user-access-mode.patch ++++++ Subject: os: support new implicit local user access mode Author: Ray Strode <[email protected]> Path-mainline: Upstream Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538 References: bnc#934102 CVE-2015-3164 Signed-off-by: Michal Srb <[email protected]> If the X server is started without a '-auth' argument, then it gets started wide open to all local users on the system. This isn't a great default access model, but changing it in Xorg at this point would break backward compatibility. Xwayland, on the other hand is new, and much more targeted in scope. It could, in theory, be changed to allow the much more secure default of a "user who started X server can connect clients to that server." This commit paves the way for that change, by adding a mechanism for DDXs to opt-in to that behavior. They merely need to call LocalAccessScopeUser() in their init functions. A subsequent commit will add that call for Xwayland. Signed-off-by: Ray Strode <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Keith Packard <[email protected]> diff --git a/include/os.h b/include/os.h index 6638c84..b2b96c8 100644 --- a/include/os.h +++ b/include/os.h @@ -431,11 +431,28 @@ extern _X_EXPORT void ResetHosts(const char *display); extern _X_EXPORT void +EnableLocalAccess(void); + +extern _X_EXPORT void +DisableLocalAccess(void); + +extern _X_EXPORT void EnableLocalHost(void); extern _X_EXPORT void DisableLocalHost(void); +#ifndef NO_LOCAL_CLIENT_CRED +extern _X_EXPORT void +EnableLocalUser(void); + +extern _X_EXPORT void +DisableLocalUser(void); + +extern _X_EXPORT void +LocalAccessScopeUser(void); +#endif + extern _X_EXPORT void AccessUsingXdmcp(void); diff --git a/os/access.c b/os/access.c index 8fa028e..75e7a69 100644 --- a/os/access.c +++ b/os/access.c @@ -102,6 +102,10 @@ SOFTWARE. #include <sys/ioctl.h> #include <ctype.h> +#ifndef NO_LOCAL_CLIENT_CRED +#include <pwd.h> +#endif + #if defined(TCPCONN) || defined(STREAMSCONN) #include <netinet/in.h> #endif /* TCPCONN || STREAMSCONN */ @@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE; static int LocalHostRequested = FALSE; static int UsingXdmcp = FALSE; +static enum { + LOCAL_ACCESS_SCOPE_HOST = 0, +#ifndef NO_LOCAL_CLIENT_CRED + LOCAL_ACCESS_SCOPE_USER, +#endif +} LocalAccessScope; + /* FamilyServerInterpreted implementation */ static Bool siAddrMatch(int family, void *addr, int len, HOST * host, ClientPtr client); @@ -237,6 +248,21 @@ static void siTypesInitialize(void); */ void +EnableLocalAccess(void) +{ + switch (LocalAccessScope) { + case LOCAL_ACCESS_SCOPE_HOST: + EnableLocalHost(); + break; +#ifndef NO_LOCAL_CLIENT_CRED + case LOCAL_ACCESS_SCOPE_USER: + EnableLocalUser(); + break; +#endif + } +} + +void EnableLocalHost(void) { if (!UsingXdmcp) { @@ -249,6 +275,21 @@ EnableLocalHost(void) * called when authorization is enabled to keep us secure */ void +DisableLocalAccess(void) +{ + switch (LocalAccessScope) { + case LOCAL_ACCESS_SCOPE_HOST: + DisableLocalHost(); + break; +#ifndef NO_LOCAL_CLIENT_CRED + case LOCAL_ACCESS_SCOPE_USER: + DisableLocalUser(); + break; +#endif + } +} + +void DisableLocalHost(void) { HOST *self; @@ -262,6 +303,74 @@ DisableLocalHost(void) } } +#ifndef NO_LOCAL_CLIENT_CRED +static int GetLocalUserAddr(char **addr) +{ + static const char *type = "localuser"; + static const char delimiter = '\0'; + static const char *value; + struct passwd *pw; + int length = -1; + + pw = getpwuid(getuid()); + + if (pw == NULL || pw->pw_name == NULL) + goto out; + + value = pw->pw_name; + + length = asprintf(addr, "%s%c%s", type, delimiter, value); + + if (length == -1) { + goto out; + } + + /* Trailing NUL */ + length++; + +out: + return length; +} + +void +EnableLocalUser(void) +{ + char *addr = NULL; + int length = -1; + + length = GetLocalUserAddr(&addr); + + if (length == -1) + return; + + NewHost(FamilyServerInterpreted, addr, length, TRUE); + + free(addr); +} + +void +DisableLocalUser(void) +{ + char *addr = NULL; + int length = -1; + + length = GetLocalUserAddr(&addr); + + if (length == -1) + return; + + RemoveHost(NULL, FamilyServerInterpreted, length, addr); + + free(addr); +} + +void +LocalAccessScopeUser(void) +{ + LocalAccessScope = LOCAL_ACCESS_SCOPE_USER; +} +#endif + /* * called at init time when XDMCP will be used; xdmcp always * adds local hosts manually when needed diff --git a/os/auth.c b/os/auth.c index 5fcb538..7da6fc6 100644 --- a/os/auth.c +++ b/os/auth.c @@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length, /* * If the authorization file has at least one entry for this server, - * disable local host access. (loadauth > 0) + * disable local access. (loadauth > 0) * * If there are zero entries (either initially or when the * authorization file is later reloaded), or if a valid - * authorization file was never loaded, enable local host access. + * authorization file was never loaded, enable local access. * (loadauth == 0 || !loaded) * * If the authorization file was loaded initially (with valid @@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length, */ if (loadauth > 0) { - DisableLocalHost(); /* got at least one */ + DisableLocalAccess(); /* got at least one */ loaded = TRUE; } else if (loadauth == 0 || !loaded) - EnableLocalHost(); + EnableLocalAccess(); } if (name_length) { for (i = 0; i < NUM_AUTHORIZATION; i++) { ++++++ U_xwayland-default-to-local-user-if-no-xauth-file-given.patch ++++++ Subject: xwayland: default to local user if no xauth file given. Author: Ray Strode <[email protected]> Path-mainline: Upstream Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451 References: bnc#934102 CVE-2015-3164 Signed-off-by: Michal Srb <[email protected]> Right now if "-auth" isn't passed on the command line, we let any user on the system connect to the Xwayland server. That's clearly suboptimal, given Xwayland is generally designed to be used by one user at a time. This commit changes the behavior, so only the user who started the X server can connect clients to it. Signed-off-by: Ray Strode <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Keith Packard <[email protected]> diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c index c5bee77..bc92beb 100644 --- a/hw/xwayland/xwayland.c +++ b/hw/xwayland/xwayland.c @@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv) if (AddScreen(xwl_screen_init, argc, argv) == -1) { FatalError("Couldn't add screen\n"); } + + LocalAccessScopeUser(); } ++++++ U_xwayland-enable-access-control-on-open-socket.patch ++++++ Subject: xwayland: Enable access control on open sockets Author: Ray Strode <[email protected]> Path-mainline: Upstream Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588 References: bnc#934102 CVE-2015-3164 Signed-off-by: Michal Srb <[email protected]> Xwayland currently allows wide-open access to the X sockets it listens on, ignoring Xauth access control. This commit makes sure to enable access control on the sockets, so one user can't snoop on another user's X-over-wayland applications. Signed-off-by: Ray Strode <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Keith Packard <[email protected]> diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c index 7e8d667..c5bee77 100644 --- a/hw/xwayland/xwayland.c +++ b/hw/xwayland/xwayland.c @@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen) int i; for (i = 0; i < xwl_screen->listen_fd_count; i++) - ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE); + ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE); } static void
