Author: dnicholson Date: 2006-08-05 13:31:26 -0600 (Sat, 05 Aug 2006) New Revision: 1618
Added: trunk/xorg/libX11-1.0.1-setuid-1.patch trunk/xorg/xdm-1.0.4-setuid-1.patch trunk/xorg/xf86dga-1.0.1-setuid-1.patch trunk/xorg/xinit-1.0.2-setuid-1.patch trunk/xorg/xload-1.0.1-setuid-1.patch trunk/xorg/xorg-6.9.0-security-1.patch trunk/xorg/xorg-server-1.1.0-setuid-1.patch trunk/xorg/xtrans-1.0.0-setuid-1.patch Log: Added patches to address security vulnerabilities in Xorg-6.9.0 and Xorg-7.1 Added: trunk/xorg/libX11-1.0.1-setuid-1.patch =================================================================== --- trunk/xorg/libX11-1.0.1-setuid-1.patch (rev 0) +++ trunk/xorg/libX11-1.0.1-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,24 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.1 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur libX11-1.0.1.orig/src/xlibi18n/lcFile.c libX11-1.0.1/src/xlibi18n/lcFile.c +--- libX11-1.0.1.orig/src/xlibi18n/lcFile.c 2006-05-12 18:46:51.000000000 +0000 ++++ libX11-1.0.1/src/xlibi18n/lcFile.c 2006-08-05 16:25:30.000000000 +0000 +@@ -269,7 +269,11 @@ xlocaledir( + if (seteuid(0) != 0) { + priv = 0; + } else { +- seteuid(oldeuid); ++ if (seteuid(oldeuid) == -1) { ++ /* XXX ouch, coudn't get back to original uid ++ what can we do ??? */ ++ _exit(127); ++ } + priv = 1; + } + #endif Added: trunk/xorg/xdm-1.0.4-setuid-1.patch =================================================================== --- trunk/xorg/xdm-1.0.4-setuid-1.patch (rev 0) +++ trunk/xorg/xdm-1.0.4-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,44 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.4 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xdm-1.0.4.orig/session.c xdm-1.0.4/session.c +--- xdm-1.0.4.orig/session.c 2006-04-08 00:22:23.000000000 +0000 ++++ xdm-1.0.4/session.c 2006-08-05 16:29:28.000000000 +0000 +@@ -490,8 +490,14 @@ SessionExit (struct display *d, int stat + else + ResetServer (d); + if (removeAuth) { +- setgid (verify.gid); +- setuid (verify.uid); ++ if (setgid (verify.gid) == -1) { ++ LogError( "SessionExit: setgid: %s\n", strerror(errno)); ++ exit(status); ++ } ++ if (setuid (verify.uid) == -1) { ++ LogError( "SessionExit: setuid: %s\n", strerror(errno)); ++ exit(status); ++ } + RemoveUserAuthorization (d, &verify); + #ifdef K5AUTH + /* do like "kdestroy" program */ +diff -pNur xdm-1.0.4.orig/xdmshell.c xdm-1.0.4/xdmshell.c +--- xdm-1.0.4.orig/xdmshell.c 2005-07-14 22:58:25.000000000 +0000 ++++ xdm-1.0.4/xdmshell.c 2006-08-05 16:29:28.000000000 +0000 +@@ -183,7 +183,11 @@ main ( + #endif + + /* make xdm run in a non-setuid environment */ +- setuid (geteuid()); ++ if (setuid (geteuid()) == -1) { ++ fprintf(stderr, "%s: cannot setuid (error %d, %s)\r\n", ++ ProgramName, errno, strerror(errno)); ++ exit(1); ++ } + + /* + * exec /usr/bin/X11/xdm -nodaemon -udpPort 0 Added: trunk/xorg/xf86dga-1.0.1-setuid-1.patch =================================================================== --- trunk/xorg/xf86dga-1.0.1-setuid-1.patch (rev 0) +++ trunk/xorg/xf86dga-1.0.1-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,31 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.1 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xf86dga-1.0.1.orig/dga.c xf86dga-1.0.1/dga.c +--- xf86dga-1.0.1.orig/dga.c 2004-04-23 19:54:47.000000000 +0000 ++++ xf86dga-1.0.1/dga.c 2006-08-05 16:32:09.000000000 +0000 +@@ -16,6 +16,7 @@ + #include <X11/Xmd.h> + #include <X11/extensions/xf86dga.h> + #include <ctype.h> ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <signal.h> +@@ -141,7 +142,10 @@ main(int argc, char *argv[]) + + #ifndef __UNIXOS2__ + /* Give up root privs */ +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ fprintf(stderr, "Unable to change uid: %s\n", strerror(errno)); ++ exit(2); ++ } + #endif + + XF86DGASetViewPort(dis, DefaultScreen(dis), 0, 0); Added: trunk/xorg/xinit-1.0.2-setuid-1.patch =================================================================== --- trunk/xorg/xinit-1.0.2-setuid-1.patch (rev 0) +++ trunk/xorg/xinit-1.0.2-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,23 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.2 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xinit-1.0.2.orig/xinit.c xinit-1.0.2/xinit.c +--- xinit-1.0.2.orig/xinit.c 2005-10-04 01:27:34.000000000 +0000 ++++ xinit-1.0.2/xinit.c 2006-08-05 16:33:59.000000000 +0000 +@@ -692,7 +692,10 @@ static int + startClient(char *client[]) + { + if ((clientpid = vfork()) == 0) { +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ Error("cannot change uid: %s\n", strerror(errno)); ++ _exit(ERR_EXIT); ++ } + setpgrp(0, getpid()); + environ = newenviron; + #ifdef __UNIXOS2__ Added: trunk/xorg/xload-1.0.1-setuid-1.patch =================================================================== --- trunk/xorg/xload-1.0.1-setuid-1.patch (rev 0) +++ trunk/xorg/xload-1.0.1-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,40 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.1 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xload-1.0.1.orig/xload.c xload-1.0.1/xload.c +--- xload-1.0.1.orig/xload.c 2004-04-23 19:54:57.000000000 +0000 ++++ xload-1.0.1/xload.c 2006-08-05 16:35:56.000000000 +0000 +@@ -34,7 +34,7 @@ from the X Consortium. + * xload - display system load average in a window + */ + +- ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> +@@ -162,8 +162,17 @@ main(int argc, char **argv) + /* For security reasons, we reset our uid/gid after doing the necessary + system initialization and before calling any X routines. */ + InitLoadPoint(); +- setgid(getgid()); /* reset gid first while still (maybe) root */ +- setuid(getuid()); ++ /* reset gid first while still (maybe) root */ ++ if (setgid(getgid()) == -1) { ++ fprintf(stderr, "%s: setgid failed: %s\n", ++ ProgramName, strerror(errno)); ++ exit(1); ++ } ++ if (setuid(getuid()) == -1) { ++ fprintf(stderr, "%s: setuid failed: %s\n", ++ ProgramName, strerror(errno)); ++ exit(1); ++ } + + XtSetLanguageProc(NULL, (XtLanguageProc) NULL, NULL); + Added: trunk/xorg/xorg-6.9.0-security-1.patch =================================================================== --- trunk/xorg/xorg-6.9.0-security-1.patch (rev 0) +++ trunk/xorg/xorg-6.9.0-security-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,400 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 6.9.0 +Origin: http://xorg.freedesktop.org/releases/X11R6.9.0/patches/ +Upstream Status: Applied +Description: Fixes 3 security vulnerabilities. See the following advisories: + http://lists.freedesktop.org/archives/xorg/2006-March/013992.html + http://lists.freedesktop.org/archives/xorg/2006-May/015136.html + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xc.orig/config/util/chownxterm.c xc/config/util/chownxterm.c +--- xc.orig/config/util/chownxterm.c 2003-11-14 16:48:20.000000000 +0000 ++++ xc/config/util/chownxterm.c 2006-08-05 16:05:19.000000000 +0000 +@@ -41,8 +41,10 @@ char *prog_name; + + void help() + { +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ exit(1); ++ if (setuid(getuid()) == -1) ++ exit(1); + printf("chown-xterm makes %s suid root\n", XTERM_PATH); + printf("This is necessary on Ultrix for /dev/tty operation.\n"); + exit(0); +@@ -51,8 +53,10 @@ void help() + void print_error(err_string) + char *err_string; + { +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ exit(1); ++ if (setuid(getuid()) == -1) ++ exit(1); + fprintf(stderr, "%s: \"%s\"", prog_name, err_string); + perror(" failed"); + exit(1); +diff -pNur xc.orig/lib/X11/lcFile.c xc/lib/X11/lcFile.c +--- xc.orig/lib/X11/lcFile.c 2005-05-13 22:53:44.000000000 +0000 ++++ xc/lib/X11/lcFile.c 2006-08-05 16:05:19.000000000 +0000 +@@ -269,7 +269,11 @@ xlocaledir( + if (seteuid(0) != 0) { + priv = 0; + } else { +- seteuid(oldeuid); ++ if (seteuid(oldeuid) == -1) { ++ /* XXX ouch, coudn't get back to original uid ++ what can we do ??? */ ++ _exit(127); ++ } + priv = 1; + } + #endif +diff -pNur xc.orig/lib/xtrans/Xtranslcl.c xc/lib/xtrans/Xtranslcl.c +--- xc.orig/lib/xtrans/Xtranslcl.c 2005-11-08 06:33:26.000000000 +0000 ++++ xc/lib/xtrans/Xtranslcl.c 2006-08-05 16:05:19.000000000 +0000 +@@ -360,7 +360,10 @@ TRANS(PTSOpenClient)(XtransConnInfo cipt + uid_t saved_euid; + + saved_euid = geteuid(); +- setuid( getuid() ); /** sets the euid to the actual/real uid **/ ++ /** sets the euid to the actual/real uid **/ ++ if (setuid( getuid() ) == -1) { ++ exit(1); ++ } + if( chown( slave, saved_euid, -1 ) < 0 ) { + exit( 1 ); + } +@@ -369,7 +372,13 @@ TRANS(PTSOpenClient)(XtransConnInfo cipt + } + + waitpid(saved_pid, &exitval, 0); +- ++ if (WIFEXITED(exitval) && WEXITSTATUS(exitval) != 0) { ++ close(fd); ++ close(server); ++ PRMSG(1, "PTSOpenClient: cannot set the owner of %s\n", ++ slave, 0, 0); ++ return(-1); ++ } + if (chmod(slave, 0666) < 0) { + close(fd); + close(server); +diff -pNur xc.orig/programs/Xserver/hw/xfree86/common/xf86Init.c xc/programs/Xserver/hw/xfree86/common/xf86Init.c +--- xc.orig/programs/Xserver/hw/xfree86/common/xf86Init.c 2005-12-14 20:12:00.000000000 +0000 ++++ xc/programs/Xserver/hw/xfree86/common/xf86Init.c 2006-08-05 16:10:26.000000000 +0000 +@@ -1376,7 +1376,7 @@ ddxProcessArgument(int argc, char **argv + } + + /* First the options that are only allowed for root */ +- if (getuid() == 0 || geteuid != 0) ++ if (getuid() == 0 || geteuid() != 0) + { + if (!strcmp(argv[i], "-modulepath")) + { +@@ -1679,7 +1679,7 @@ ddxProcessArgument(int argc, char **argv + } + if (!strcmp(argv[i], "-configure")) + { +- if (getuid() != 0 && geteuid == 0) { ++ if (getuid() != 0 && geteuid() == 0) { + ErrorF("The '-configure' option can only be used by root.\n"); + exit(1); + } +@@ -1905,7 +1905,11 @@ xf86RunVtInit(void) + FatalError("xf86RunVtInit: fork failed (%s)\n", strerror(errno)); + break; + case 0: /* child */ +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ xf86Msg(X_ERROR, "xf86RunVtInit: setuid failed (%s)\n", ++ strerror(errno)); ++ exit(255); ++ } + /* set stdin, stdout to the consoleFd */ + for (i = 0; i < 2; i++) { + if (xf86Info.consoleFd != i) { +diff -pNur xc.orig/programs/Xserver/hw/xfree86/os-support/shared/libc_wrapper.c xc/programs/Xserver/hw/xfree86/os-support/shared/libc_wrapper.c +--- xc.orig/programs/Xserver/hw/xfree86/os-support/shared/libc_wrapper.c 2005-07-03 08:53:48.000000000 +0000 ++++ xc/programs/Xserver/hw/xfree86/os-support/shared/libc_wrapper.c 2006-08-05 16:05:20.000000000 +0000 +@@ -1270,7 +1270,10 @@ xf86execl(const char *pathname, const ch + #ifndef SELF_CONTAINED_WRAPPER + xf86DisableIO(); + #endif +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ ErrorF("xf86Execl: setuid() failed: %s\n", strerror(errno)); ++ exit(255); ++ } + #if !defined(SELF_CONTAINED_WRAPPER) + /* set stdin, stdout to the consoleFD, and leave stderr alone */ + for (i = 0; i < 2; i++) +diff -pNur xc.orig/programs/Xserver/hw/xfree86/parser/write.c xc/programs/Xserver/hw/xfree86/parser/write.c +--- xc.orig/programs/Xserver/hw/xfree86/parser/write.c 2005-07-03 07:01:37.000000000 +0000 ++++ xc/programs/Xserver/hw/xfree86/parser/write.c 2006-08-05 16:05:20.000000000 +0000 +@@ -170,7 +170,10 @@ xf86writeConfigFile (const char *filenam + strerror(errno)); + return 0; + case 0: /* child */ +- setuid(getuid()); ++ if (setuid(getuid() == -1) ++ FatalError("xf86writeConfigFile(): " ++ "setuid failed(%s)\n", ++ strerror(errno)); + ret = doWriteConfigFile(filename, cptr); + exit(ret); + break; +diff -pNur xc.orig/programs/Xserver/os/utils.c xc/programs/Xserver/os/utils.c +--- xc.orig/programs/Xserver/os/utils.c 2005-11-08 06:33:30.000000000 +0000 ++++ xc/programs/Xserver/os/utils.c 2006-08-05 16:10:26.000000000 +0000 +@@ -1718,8 +1718,10 @@ System(char *command) + case -1: /* error */ + p = -1; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + execl("/bin/sh", "sh", "-c", command, (char *)NULL); + _exit(127); + default: /* parent */ +@@ -1770,8 +1772,10 @@ Popen(char *command, char *type) + xfree(cur); + return NULL; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + if (*type == 'r') { + if (pdes[1] != 1) { + /* stdout */ +@@ -1845,8 +1849,10 @@ Fopen(char *file, char *type) + xfree(cur); + return NULL; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + if (*type == 'r') { + if (pdes[1] != 1) { + /* stdout */ +diff -pNur xc.orig/programs/Xserver/render/mitri.c xc/programs/Xserver/render/mitri.c +--- xc.orig/programs/Xserver/render/mitri.c 2005-07-03 07:02:08.000000000 +0000 ++++ xc/programs/Xserver/render/mitri.c 2006-08-05 16:05:07.000000000 +0000 +@@ -145,7 +145,7 @@ miTriStrip (CARD8 op, + if (npoint < 3) + return; + ntri = npoint - 2; +- tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle)); ++ tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle)); + if (!tris) + return; + for (tri = tris; npoint >= 3; npoint--, points++, tri++) +@@ -177,7 +177,7 @@ miTriFan (CARD8 op, + if (npoint < 3) + return; + ntri = npoint - 2; +- tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle)); ++ tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle)); + if (!tris) + return; + first = points++; +diff -pNur xc.orig/programs/xdm/session.c xc/programs/xdm/session.c +--- xc.orig/programs/xdm/session.c 2005-11-08 06:33:31.000000000 +0000 ++++ xc/programs/xdm/session.c 2006-08-05 16:10:26.000000000 +0000 +@@ -488,8 +488,14 @@ SessionExit (struct display *d, int stat + else + ResetServer (d); + if (removeAuth) { +- setgid (verify.gid); +- setuid (verify.uid); ++ if (setgid (verify.gid) == -1) { ++ LogError( "SessionExit: setgid: %s\n", strerror(errno)); ++ exit(status); ++ } ++ if (setuid (verify.uid) == -1) { ++ LogError( "SessionExit: setuid: %s\n", strerror(errno)); ++ exit(status); ++ } + RemoveUserAuthorization (d, &verify); + #ifdef K5AUTH + /* do like "kdestroy" program */ +diff -pNur xc.orig/programs/xdm/xdmshell.c xc/programs/xdm/xdmshell.c +--- xc.orig/programs/xdm/xdmshell.c 2005-07-14 22:58:25.000000000 +0000 ++++ xc/programs/xdm/xdmshell.c 2006-08-05 16:05:20.000000000 +0000 +@@ -183,7 +183,11 @@ main ( + #endif + + /* make xdm run in a non-setuid environment */ +- setuid (geteuid()); ++ if (setuid (geteuid()) == -1) { ++ fprintf(stderr, "%s: cannot setuid (error %d, %s)\r\n", ++ ProgramName, errno, strerror(errno)); ++ exit(1); ++ } + + /* + * exec /usr/bin/X11/xdm -nodaemon -udpPort 0 +diff -pNur xc.orig/programs/xf86dga/dga.c xc/programs/xf86dga/dga.c +--- xc.orig/programs/xf86dga/dga.c 2004-04-23 19:54:47.000000000 +0000 ++++ xc/programs/xf86dga/dga.c 2006-08-05 16:05:20.000000000 +0000 +@@ -16,6 +16,7 @@ + #include <X11/Xmd.h> + #include <X11/extensions/xf86dga.h> + #include <ctype.h> ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <signal.h> +@@ -141,7 +142,10 @@ main(int argc, char *argv[]) + + #ifndef __UNIXOS2__ + /* Give up root privs */ +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ fprintf(stderr, "Unable to change uid: %s\n", strerror(errno)); ++ exit(2); ++ } + #endif + + XF86DGASetViewPort(dis, DefaultScreen(dis), 0, 0); +diff -pNur xc.orig/programs/xinit/xinit.c xc/programs/xinit/xinit.c +--- xc.orig/programs/xinit/xinit.c 2005-10-04 01:27:34.000000000 +0000 ++++ xc/programs/xinit/xinit.c 2006-08-05 16:10:26.000000000 +0000 +@@ -692,7 +692,10 @@ static int + startClient(char *client[]) + { + if ((clientpid = vfork()) == 0) { +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ Error("cannot change uid: %s\n", strerror(errno)); ++ _exit(ERR_EXIT); ++ } + setpgrp(0, getpid()); + environ = newenviron; + #ifdef __UNIXOS2__ +diff -pNur xc.orig/programs/xload/xload.c xc/programs/xload/xload.c +--- xc.orig/programs/xload/xload.c 2004-04-23 19:54:57.000000000 +0000 ++++ xc/programs/xload/xload.c 2006-08-05 16:05:20.000000000 +0000 +@@ -34,7 +34,7 @@ from the X Consortium. + * xload - display system load average in a window + */ + +- ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> +@@ -162,8 +162,17 @@ main(int argc, char **argv) + /* For security reasons, we reset our uid/gid after doing the necessary + system initialization and before calling any X routines. */ + InitLoadPoint(); +- setgid(getgid()); /* reset gid first while still (maybe) root */ +- setuid(getuid()); ++ /* reset gid first while still (maybe) root */ ++ if (setgid(getgid()) == -1) { ++ fprintf(stderr, "%s: setgid failed: %s\n", ++ ProgramName, strerror(errno)); ++ exit(1); ++ } ++ if (setuid(getuid()) == -1) { ++ fprintf(stderr, "%s: setuid failed: %s\n", ++ ProgramName, strerror(errno)); ++ exit(1); ++ } + + XtSetLanguageProc(NULL, (XtLanguageProc) NULL, NULL); + +diff -pNur xc.orig/programs/xterm/main.c xc/programs/xterm/main.c +--- xc.orig/programs/xterm/main.c 2005-12-14 23:28:27.000000000 +0000 ++++ xc/programs/xterm/main.c 2006-08-05 16:05:20.000000000 +0000 +@@ -1592,8 +1592,10 @@ main(int argc, char *argv[]ENVP_ARG) + Window winToEmbedInto = None; + + #ifdef DISABLE_SETUID +- seteuid(getuid()); +- setuid(getuid()); ++ if (seteuid(getuid()) == -1) ++ exit(2); ++ if (setuid(getuid()) == -1) ++ exit(2); + #endif + + ProgramName = argv[0]; +@@ -1619,8 +1621,16 @@ main(int argc, char *argv[]ENVP_ARG) + + #if defined(USE_UTMP_SETGID) + get_pty(NULL, NULL); +- seteuid(getuid()); +- setuid(getuid()); ++ if (seteuid(getuid()) == -1) { ++ fprintf(stderr, ++ "%s: unable to change back euid\n", ProgramName); ++ exit(1); ++ } ++ if (setuid(getuid()) == -1) { ++ fprintf(stderr, ++ "%s: unable to change back uid\n", ProgramName); ++ exit(1); ++ } + #define get_pty(pty, from) really_get_pty(pty, from) + #endif + +diff -pNur xc.orig/programs/xterm/misc.c xc/programs/xterm/misc.c +--- xc.orig/programs/xterm/misc.c 2005-12-14 23:28:27.000000000 +0000 ++++ xc/programs/xterm/misc.c 2006-08-05 16:05:20.000000000 +0000 +@@ -1094,8 +1094,10 @@ creat_as(uid_t uid, gid_t gid, Bool appe + pid = fork(); + switch (pid) { + case 0: /* child */ +- setgid(gid); +- setuid(uid); ++ if (setgid(gid) == -1) ++ _exit(ERROR_SETUID); ++ if (setuid(uid) == -1) ++ _exit(ERROR_SETUID); + fd = open(pathname, + O_WRONLY | O_CREAT | (append ? O_APPEND : O_EXCL), + mode); +@@ -1262,8 +1264,10 @@ StartLog(TScreen * screen) + signal(SIGCHLD, SIG_DFL); + + /* (this is redundant) */ +- setgid(screen->gid); +- setuid(screen->uid); ++ if (setgid(screen->gid) == -1) ++ exit(ERROR_SETUID); ++ if (setuid(screen->uid) == -1) ++ exit(ERROR_SETUID); + + execl(shell, shell, "-c", &screen->logfile[1], (void *) 0); + +diff -pNur xc.orig/programs/xterm/print.c xc/programs/xterm/print.c +--- xc.orig/programs/xterm/print.c 2005-08-05 16:13:04.000000000 +0000 ++++ xc/programs/xterm/print.c 2006-08-05 16:05:21.000000000 +0000 +@@ -387,9 +387,11 @@ charToPrinter(int chr) + dup2(fileno(stderr), 2); + close(fileno(stderr)); + } +- +- setgid(screen->gid); /* don't want privileges! */ +- setuid(screen->uid); ++ /* don't want privileges! */ ++ if (setgid(screen->gid) == -1) ++ exit(2); ++ if (setuid(screen->uid) == -1) ++ exit(2); + + Printer = popen(screen->printer_command, "w"); + input = fdopen(my_pipe[0], "r"); Added: trunk/xorg/xorg-server-1.1.0-setuid-1.patch =================================================================== --- trunk/xorg/xorg-server-1.1.0-setuid-1.patch (rev 0) +++ trunk/xorg/xorg-server-1.1.0-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,96 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.1.0 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xorg-server-1.1.0.orig/hw/xfree86/common/xf86Init.c xorg-server-1.1.0/hw/xfree86/common/xf86Init.c +--- xorg-server-1.1.0.orig/hw/xfree86/common/xf86Init.c 2006-05-09 18:04:19.000000000 +0000 ++++ xorg-server-1.1.0/hw/xfree86/common/xf86Init.c 2006-08-05 16:45:38.000000000 +0000 +@@ -1905,7 +1905,11 @@ xf86RunVtInit(void) + FatalError("xf86RunVtInit: fork failed (%s)\n", strerror(errno)); + break; + case 0: /* child */ +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ xf86Msg(X_ERROR, "xf86RunVtInit: setuid failed (%s)\n", ++ strerror(errno)); ++ exit(255); ++ } + /* set stdin, stdout to the consoleFd */ + for (i = 0; i < 2; i++) { + if (xf86Info.consoleFd != i) { +diff -pNur xorg-server-1.1.0.orig/hw/xfree86/os-support/shared/libc_wrapper.c xorg-server-1.1.0/hw/xfree86/os-support/shared/libc_wrapper.c +--- xorg-server-1.1.0.orig/hw/xfree86/os-support/shared/libc_wrapper.c 2006-03-25 19:52:04.000000000 +0000 ++++ xorg-server-1.1.0/hw/xfree86/os-support/shared/libc_wrapper.c 2006-08-05 16:45:38.000000000 +0000 +@@ -1270,7 +1270,10 @@ xf86execl(const char *pathname, const ch + #ifndef SELF_CONTAINED_WRAPPER + xf86DisableIO(); + #endif +- setuid(getuid()); ++ if (setuid(getuid()) == -1) { ++ ErrorF("xf86Execl: setuid() failed: %s\n", strerror(errno)); ++ exit(255); ++ } + #if !defined(SELF_CONTAINED_WRAPPER) + /* set stdin, stdout to the consoleFD, and leave stderr alone */ + for (i = 0; i < 2; i++) +diff -pNur xorg-server-1.1.0.orig/hw/xfree86/parser/write.c xorg-server-1.1.0/hw/xfree86/parser/write.c +--- xorg-server-1.1.0.orig/hw/xfree86/parser/write.c 2005-07-03 07:01:37.000000000 +0000 ++++ xorg-server-1.1.0/hw/xfree86/parser/write.c 2006-08-05 16:45:38.000000000 +0000 +@@ -170,7 +170,10 @@ xf86writeConfigFile (const char *filenam + strerror(errno)); + return 0; + case 0: /* child */ +- setuid(getuid()); ++ if (setuid(getuid() == -1) ++ FatalError("xf86writeConfigFile(): " ++ "setuid failed(%s)\n", ++ strerror(errno)); + ret = doWriteConfigFile(filename, cptr); + exit(ret); + break; +diff -pNur xorg-server-1.1.0.orig/os/utils.c xorg-server-1.1.0/os/utils.c +--- xorg-server-1.1.0.orig/os/utils.c 2006-03-25 19:52:05.000000000 +0000 ++++ xorg-server-1.1.0/os/utils.c 2006-08-05 16:45:38.000000000 +0000 +@@ -1721,8 +1721,10 @@ System(char *command) + case -1: /* error */ + p = -1; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + execl("/bin/sh", "sh", "-c", command, (char *)NULL); + _exit(127); + default: /* parent */ +@@ -1773,8 +1775,10 @@ Popen(char *command, char *type) + xfree(cur); + return NULL; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + if (*type == 'r') { + if (pdes[1] != 1) { + /* stdout */ +@@ -1848,8 +1852,10 @@ Fopen(char *file, char *type) + xfree(cur); + return NULL; + case 0: /* child */ +- setgid(getgid()); +- setuid(getuid()); ++ if (setgid(getgid()) == -1) ++ _exit(127); ++ if (setuid(getuid()) == -1) ++ _exit(127); + if (*type == 'r') { + if (pdes[1] != 1) { + /* stdout */ Added: trunk/xorg/xtrans-1.0.0-setuid-1.patch =================================================================== --- trunk/xorg/xtrans-1.0.0-setuid-1.patch (rev 0) +++ trunk/xorg/xtrans-1.0.0-setuid-1.patch 2006-08-05 19:31:26 UTC (rev 1618) @@ -0,0 +1,38 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2006-08-05 +Initial Package Version: 1.0.0 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ +Upstream Status: Applied +Description: Fixes a security vulnerability. See the following advisory: + http://lists.freedesktop.org/archives/xorg/2006-June/016146.html + +diff -pNur xtrans-1.0.0.orig/Xtranslcl.c xtrans-1.0.0/Xtranslcl.c +--- xtrans-1.0.0.orig/Xtranslcl.c 2005-11-08 06:33:26.000000000 +0000 ++++ xtrans-1.0.0/Xtranslcl.c 2006-08-05 16:47:29.000000000 +0000 +@@ -360,7 +360,10 @@ TRANS(PTSOpenClient)(XtransConnInfo cipt + uid_t saved_euid; + + saved_euid = geteuid(); +- setuid( getuid() ); /** sets the euid to the actual/real uid **/ ++ /** sets the euid to the actual/real uid **/ ++ if (setuid( getuid() ) == -1) { ++ exit(1); ++ } + if( chown( slave, saved_euid, -1 ) < 0 ) { + exit( 1 ); + } +@@ -369,7 +372,13 @@ TRANS(PTSOpenClient)(XtransConnInfo cipt + } + + waitpid(saved_pid, &exitval, 0); +- ++ if (WIFEXITED(exitval) && WEXITSTATUS(exitval) != 0) { ++ close(fd); ++ close(server); ++ PRMSG(1, "PTSOpenClient: cannot set the owner of %s\n", ++ slave, 0, 0); ++ return(-1); ++ } + if (chmod(slave, 0666) < 0) { + close(fd); + close(server); -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
