125803 2006-03-11 02:33 0000 x11-base/xorg-x11: Local root (CVE-2006-0745) 2006-03-23 04:10:12 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED ~1 [noglsa] jaervosz P2 trivial --- 1 koon@gentoo.org security@gentoo.org dberkholz@gentoo.org pva@gentoo.org koon@gentoo.org 2006-03-11 02:33:48 0000 Coverity scanned X.org code and reported a few bugs, one of which has serious security consequences (local privilege escalation). This is (confidential) X.Org bug #6213 Proposed embargo date set to April 6th. koon@gentoo.org 2006-03-11 02:35:34 0000 Created an attachment (id=81903) CVE-2006-0745.diff Patch demonstrating the issue. koon@gentoo.org 2006-03-11 02:36:31 0000 Setting status koon@gentoo.org 2006-03-12 10:33:09 0000 Ccing maintainer. Donnie, this is very confidential and will stay that way until April 6th. We should prepare packages outside of portage (attch ebuilds to this bug) so that arch security liaisons can test them and be ready for the release date. dberkholz@gentoo.org 2006-03-12 17:39:57 0000 (In reply to comment #3) > Ccing maintainer. > Donnie, this is very confidential and will stay that way until April 6th. We > should prepare packages outside of portage (attch ebuilds to this bug) so that > arch security liaisons can test them and be ready for the release date. Damn, this means I have to touch the monolith again. You don't need to tell me it's confidential. Mind if I add josh_b to CC? dercorny@gentoo.org 2006-03-12 17:54:21 0000 Well, if you *really* need him, add him. But keep in mind that security team will come and kill you and him if this gets leaked. dberkholz@gentoo.org 2006-03-12 18:09:16 0000 OK, rain on my parade. I'll just tell him there's a security issue coming up and withhold the details. dberkholz@gentoo.org 2006-03-14 14:21:09 0000 OK, just learned that the date was moved forward to next Monday (Mar. 20). As a result, I'll try to get ebuilds up by tomorrow or so. dberkholz@gentoo.org 2006-03-14 15:48:57 0000 The affected code has never been in Gentoo outside of package.mask, as it was introduced in the 6.8.99 series and modular X is also still masked. Do you still want a GLSA for it? jaervosz@gentoo.org 2006-03-14 21:50:16 0000 If it the affected package has never been stable we don't normally issue GLSAs. dberkholz@gentoo.org 2006-03-16 00:26:21 0000 Created an attachment (id=82269) xorg-server-1.0.1-CVE-2006-0745.patch dberkholz@gentoo.org 2006-03-16 00:26:41 0000 Created an attachment (id=82270) xorg-server-1.0.1-r5.ebuild dberkholz@gentoo.org 2006-03-16 00:27:47 0000 Note that this won't actually be added to the portage tree, because we're expecting a new upstream release. But it should be sufficient for testing the patch under modular X. I'll also add 6.9.0 for those 6.8.99.x users, but I'm not going to post it on this bug. solar@gentoo.org 2006-03-16 07:24:21 0000 When this bug goes public. Can you add the new version and remove all old (vuln) ebuilds so no new installs of xorg can only be done without the vuln code. dberkholz@gentoo.org 2006-03-16 09:32:49 0000 (In reply to comment #13) > When this bug goes public. Can you add the new version and remove all old > (vuln) ebuilds so no new installs of xorg can only be done without the vuln > code. Yep, that's the plan. Vulnerable are xorg-x11-6.8.99.15-r4.ebuild and xorg-server-1.0.1-r4.ebuild, which will be replaced by xorg-x11-6.9.0.ebuild and (probably) xorg-server-1.0.2.ebuild. solar@gentoo.org 2006-03-17 10:00:12 0000 This may be delayed again. From: Daniel Stone <daniel@fooishbar.org> To: Matthieu Herrb <matthieu.herrb@laas.fr> Cc: xorg_security@x.org, vendor-sec@lst.de, Jesse Keating <jkeating@j2solutions.net> Subject: Re: [Xorg_security] Re: [vendor-sec] X.Org 6.9/7.0 local root - found by coverity Date: Thu, 16 Mar 2006 16:44:06 +0200 (09:44 EST) On Thu, Mar 16, 2006 at 03:38:01PM +0100, Matthieu Herrb wrote: > Jesse Keating wrote: > >On 03/15/2006 Matthieu Herrb wrote: > >>Fedora project is going to release FC5 on March 20, but they'll start to > >>push the packages to their mirrors tomorrow, thurday 16. So this should > >>be considered as public starting at this date. > > > >Thats actually not true. We were hoping to, but we just didn't get > >enough communication in time. We will be releasing this as a 0-day > >update for Fedora, but it will not make the shipping CDs. > > So back to March 20, 14:0O UTC for the official disclosure, or did > someone already disclose it today? Given that 1400 UTC was 43 minutes ago, I think we should wait until Monday so we have the chance to write a sensible advisory and whatnot. I'll handle this, unless someone else really wants to. dberkholz@gentoo.org 2006-03-17 10:42:10 0000 (In reply to comment #15) > This may be delayed again. ... > > So back to March 20, 14:0O UTC for the official disclosure, or did > > someone already disclose it today? > > Given that 1400 UTC was 43 minutes ago, I think we should wait until > Monday so we have the chance to write a sensible advisory and whatnot. > I'll handle this, unless someone else really wants to. That doesn't look like a delay at all, it looks like staying where it was at March 20. solar@gentoo.org 2006-03-17 11:02:30 0000 They appeared to be speeding up the release day then pulled back if nobody had released the patch yet. koon@gentoo.org 2006-03-19 07:24:09 0000 (In reply to comment #8) > The affected code has never been in Gentoo outside of package.mask, as it was > introduced in the 6.8.99 series and modular X is also still masked. > > Do you still want a GLSA for it? No. There won't be a GLSA for it if the stable version isn't/wasn't affected. So let's downgrade severity... koon@gentoo.org 2006-03-20 09:40:07 0000 Now public on xorg lists and BugTraq. Feel free to commit :) dberkholz@gentoo.org 2006-03-21 12:56:41 0000 We should be all set on this. jaervosz@gentoo.org 2006-03-21 13:27:08 0000 Thx Donnie. Closing without GLSA as this has never been outside of package.mask. dercorny@gentoo.org 2006-03-23 04:10:12 0000 *** Bug 127289 has been marked as a duplicate of this bug. *** 81903 2006-03-11 02:35 0000 CVE-2006-0745.diff CVE-2006-0745.diff text/plain ZGlmZiAtdSAtdSAtcjEuMjkgeGY4NkluaXQuYwotLS0geGY4NkluaXQuYyAgICAxNCBEZWMgMjAw NSAyMDoxMjowMCAtMDAwMCAgICAxLjI5CisrKyB4Zjg2SW5pdC5jICAgIDEwIE1hciAyMDA2IDEx OjIxOjM3IC0wMDAwCkBAIC0xMzc2LDcgKzEzNzYsNyBAQAogICAgIH0KCiAgIC8qIEZpcnN0IHRo ZSBvcHRpb25zIHRoYXQgYXJlIG9ubHkgYWxsb3dlZCBmb3Igcm9vdCAqLwotICBpZiAoZ2V0dWlk KCkgPT0gMCB8fCBnZXRldWlkICE9IDApCisgIGlmIChnZXR1aWQoKSA9PSAwIHx8IGdldGV1aWQo KSAhPSAwKQogICB7CiAgICAgaWYgKCFzdHJjbXAoYXJndltpXSwgIi1tb2R1bGVwYXRoIikpCiAg ICAgewpAQCAtMTY3OSw3ICsxNjc5LDcgQEAKICAgfQogICBpZiAoIXN0cmNtcChhcmd2W2ldLCAi LWNvbmZpZ3VyZSIpKQogICB7Ci0gICAgaWYgKGdldHVpZCgpICE9IDAgJiYgZ2V0ZXVpZCA9PSAw KSB7CisgICAgaWYgKGdldHVpZCgpICE9IDAgJiYgZ2V0ZXVpZCgpID09IDApIHsKICAgICBFcnJv ckYoIlRoZSAnLWNvbmZpZ3VyZScgb3B0aW9uIGNhbiBvbmx5IGJlIHVzZWQgYnkgcm9vdC5cbiIp OwogICAgIGV4aXQoMSk7CiAgICAgfSAK 82269 2006-03-16 00:26 0000 xorg-server-1.0.1-CVE-2006-0745.patch xorg-server-1.0.1-CVE-2006-0745.patch text/plain Rml4IGEgbG9jYWwgZGVuaWFsIG9mIHNlcnZpY2UgYW5kIGFyYml0cmFyeSBjb2RlIGV4ZWN1dGlv biBhcyByb290LgoKLS0tIHhjLm9yaWcvcHJvZ3JhbXMvWHNlcnZlci9ody94ZnJlZTg2L2NvbW1v bi94Zjg2SW5pdC5jCTIwMDYtMDMtMTQgMjI6NDU6NDYuMDAwMDAwMDAwIC0wODAwCisrKyB4Yy9w cm9ncmFtcy9Yc2VydmVyL2h3L3hmcmVlODYvY29tbW9uL3hmODZJbml0LmMJMjAwNi0wMy0xNCAy Mjo0NjowNi4wMDAwMDAwMDAgLTA4MDAKQEAgLTEzNzYsNyArMTM3Niw3IEBACiAgICAgfQogICAK ICAgLyogRmlyc3QgdGhlIG9wdGlvbnMgdGhhdCBhcmUgb25seSBhbGxvd2VkIGZvciByb290ICov Ci0gIGlmIChnZXR1aWQoKSA9PSAwIHx8IGdldGV1aWQgIT0gMCkKKyAgaWYgKGdldHVpZCgpID09 IDAgfHwgZ2V0ZXVpZCgpICE9IDApCiAgIHsKICAgICBpZiAoIXN0cmNtcChhcmd2W2ldLCAiLW1v ZHVsZXBhdGgiKSkKICAgICB7CkBAIC0xNjc5LDcgKzE2NzksNyBAQAogICB9CiAgIGlmICghc3Ry Y21wKGFyZ3ZbaV0sICItY29uZmlndXJlIikpCiAgIHsKLSAgICBpZiAoZ2V0dWlkKCkgIT0gMCAm JiBnZXRldWlkID09IDApIHsKKyAgICBpZiAoZ2V0dWlkKCkgIT0gMCAmJiBnZXRldWlkKCkgPT0g MCkgewogCUVycm9yRigiVGhlICctY29uZmlndXJlJyBvcHRpb24gY2FuIG9ubHkgYmUgdXNlZCBi eSByb290LlxuIik7CiAJZXhpdCgxKTsKICAgICB9Cg== 82270 2006-03-16 00:26 0000 xorg-server-1.0.1-r5.ebuild xorg-server-1.0.1-r5.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L3gxMS1iYXNlL3hvcmctc2VydmVyL3hvcmctc2Vy dmVyLTEuMC4xLXI0LmVidWlsZCx2IDEuMSAyMDA2LzAyLzE5IDAzOjU0OjU2IHNweWRlcm91cyBF eHAgJAoKIyBNdXN0IGJlIGJlZm9yZSB4LW1vZHVsYXIgZWNsYXNzIGlzIGluaGVyaXRlZAojIEhh Y2sgdG8gbWFrZSBzdXJlIGF1dG9yZWNvbmYgZ2V0cyBydW4KI1NOQVBTSE9UPSJ5ZXMiCgppbmhl cml0IGZsYWctby1tYXRpYyB4LW1vZHVsYXIgbXVsdGlsaWIKCk9QRU5HTF9ESVI9InhvcmcteDEx IgoKTUVTQV9QTj0iTWVzYSIKTUVTQV9QVj0iNi40LjIiCk1FU0FfUD0iJHtNRVNBX1BOfS0ke01F U0FfUFZ9IgpNRVNBX1NSQ19QPSIke01FU0FfUE59TGliLSR7TUVTQV9QVn0iCgpQQVRDSEVTPSIk e0ZJTEVTRElSfS8ke1B9LVNidXMucGF0Y2gKCSR7RklMRVNESVJ9LyR7UH0tYmFja3RyYWNlLnBh dGNoCgkke0ZJTEVTRElSfS8ke1B9LWFtZDY0LWZpeC1mb3ItZ2x4LnBhdGNoCgkke0ZJTEVTRElS fS8ke1B9LTY0Yml0LWZpeC1oYXZlLWRpeC1jb25maWcucGF0Y2gKCSR7RklMRVNESVJ9LyR7UH0t NjRiaXQtZml4LWluZGlyZWN0LXZlcnRleC1hcnJheS5wYXRjaAoJJHtGSUxFU0RJUn0vJHtQfS1D VkUtMjAwNi0wNzQ1LnBhdGNoIgoKU1JDX1VSST0iJHtTUkNfVVJJfQoJbWlycm9yOi8vc291cmNl Zm9yZ2UvbWVzYTNkLyR7TUVTQV9TUkNfUH0udGFyLmJ6MiIKREVTQ1JJUFRJT049IlguT3JnIFgg c2VydmVycyIKS0VZV09SRFM9In5hbHBoYSB+YW1kNjQgfmFybSB+aHBwYSB+aWE2NCB+bWlwcyB+ cHBjIH5wcGM2NCB+c2ggfnNwYXJjIH54ODYiCklVU0U9ImRyaSBpcHY2IG1pbmltYWwgeHByaW50 IgpSREVQRU5EPSJ4MTEtbGlicy9saWJYZm9udAoJeDExLWxpYnMveHRyYW5zCgl4MTEtbGlicy9s aWJYYXUKCXgxMS1saWJzL2xpYlhleHQKCXgxMS1saWJzL2xpYlgxMQoJeDExLWxpYnMvbGlieGti ZmlsZQoJeDExLWxpYnMvbGliWGRtY3AKCXgxMS1saWJzL2xpYlhtdQoJeDExLWxpYnMvbGliWHJl bmRlcgoJeDExLWxpYnMvbGliWGkKCW1lZGlhLWxpYnMvZnJlZXR5cGUKCT49bWVkaWEtbGlicy9t ZXNhLTYKCW1lZGlhLWZvbnRzL2ZvbnQtbWlzYy1taXNjCgltZWRpYS1mb250cy9mb250LWN1cnNv ci1taXNjCgl4MTEtbWlzYy94Yml0bWFwcwoJfHwgKCB4MTEtbWlzYy94a2V5Ym9hcmQtY29uZmln IHgxMS1taXNjL3hrYmRhdGEgKQoJeDExLWFwcHMvaWNlYXV0aAoJeDExLWFwcHMvcmdiCgl4MTEt YXBwcy94YXV0aAoJeDExLWFwcHMveGluaXQKCWFwcC1hZG1pbi9lc2VsZWN0LW9wZW5nbAoJeDEx LWxpYnMvbGliWGF3Cgl4MTEtbGlicy9saWJYcG0KCXgxMS1saWJzL2xpYlh4Zjg2bWlzYwoJeDEx LWxpYnMvbGliWHhmODZ2bQoJIW1pbmltYWw/ICggeDExLWxpYnMvbGliZG14CgkJeDExLWxpYnMv bGliWHRzdAoJCXgxMS1saWJzL2xpYlhyZXMgKQoJeDExLWxpYnMvbGlieGtidWkKCXgxMS1saWJz L2xpYmxieHV0aWwiCgkjIFhyZXMgaXMgZG14LWRlcGVuZGVudCwgeGtidWkgaXMgeG9yZ2NmZy1k ZXBlbmRlbnQKCSMgWGF3IGlzIGRteC0gYW5kIHhvcmdjZmctZGVwZW5kZW50CgkjIFhwbSBpcyBk bXgtIGFuZCB4b3JnY2ZnLWRlcGVuZGVudCwgcHVsbHMgaW4gWHQKCSMgWHhmODZtaXNjIGFuZCBY eGY4NnZtIGFyZSB4b3JnY2ZnLWRlcGVuZGVudAoJIyBsaWJsYnh1dGlsIGlzIGxieC0gZGVwZW5k ZW50CkRFUEVORD0iJHtSREVQRU5EfQoJeDExLXByb3RvL3JhbmRycHJvdG8KCXgxMS1wcm90by9y ZW5kZXJwcm90bwoJeDExLXByb3RvL2ZpeGVzcHJvdG8KCXgxMS1wcm90by9kYW1hZ2Vwcm90bwoJ eDExLXByb3RvL3hleHRwcm90bwoJeDExLXByb3RvL3hwcm90bwoJeDExLXByb3RvL3hmODZkZ2Fw cm90bwoJeDExLXByb3RvL3hmODZtaXNjcHJvdG8KCXgxMS1wcm90by94Zjg2cnVzaHByb3RvCgl4 MTEtcHJvdG8veGY4NnZpZG1vZGVwcm90bwoJeDExLXByb3RvL3hmODZiaWdmb250cHJvdG8KCXgx MS1wcm90by9jb21wb3NpdGVwcm90bwoJeDExLXByb3RvL3JlY29yZHByb3RvCgl4MTEtcHJvdG8v cmVzb3VyY2Vwcm90bwoJeDExLXByb3RvL3ZpZGVvcHJvdG8KCXgxMS1wcm90by9zY3Juc2F2ZXJw cm90bwoJeDExLXByb3RvL2V2aWVleHQKCXgxMS1wcm90by90cmFwcHJvdG8KCT49eDExLXByb3Rv L3hpbmVyYW1hcHJvdG8tMS4xLXIxCgl4MTEtcHJvdG8vZm9udHNwcm90bwoJPj14MTEtcHJvdG8v a2Jwcm90by0xLjAtcjEKCXgxMS1wcm90by9pbnB1dHByb3RvCgl4MTEtcHJvdG8vYmlncmVxc3By b3RvCgl4MTEtcHJvdG8veGNtaXNjcHJvdG8KCT49eDExLXByb3RvL2dscHJvdG8tMS40LjFfcHJl MjAwNTEwMTMKCSFtaW5pbWFsPyAoIHgxMS1wcm90by9kbXhwcm90byApCglkcmk/ICggeDExLXBy b3RvL3hmODZkcmlwcm90bwoJCT49eDExLWxpYnMvbGliZHJtLTIgKQoJeHByaW50PyAoIHgxMS1w cm90by9wcmludHByb3RvCgkJeDExLWFwcHMvbWtmb250ZGlyCgkJeDExLWFwcHMvbWtmb250c2Nh bGUgKSIKTElDRU5TRT0iJHtMSUNFTlNFfSBNSVQiCgpwa2dfc2V0dXAoKSB7CgkjIGxvY2Fsc3Rh dGVkaXIgaXMgdXNlZCBmb3IgdGhlIGxvZyBsb2NhdGlvbjsgd2UgbmVlZCB0byBvdmVycmlkZSB0 aGUgZGVmYXVsdAoJIyBmcm9tIGVidWlsZC5zaAoJIyBzeXNjb25mZGlyIGlzIHVzZWQgZm9yIHRo ZSB4b3JnLmNvbmYgbG9jYXRpb247IHNhbWUgYXBwbGllcwoKCSMgLS1lbmFibGUteG9yZyBuZWVk ZWQgYmVjYXVzZSBkYXJ3aW4gZGVmYXVsdHMgb2ZmCgkjIC0tZW5hYmxlLWluc3RhbGwtc2V0dWlk IG5lZWRlZCBiZWNhdXNlIHNwYXJjcyBkZWZhdWx0IG9mZgoJQ09ORklHVVJFX09QVElPTlM9IgoJ CSQodXNlX2VuYWJsZSBpcHY2KQoJCSQodXNlX2VuYWJsZSAhbWluaW1hbCBkbXgpCgkJJCh1c2Vf ZW5hYmxlICFtaW5pbWFsIHh2ZmIpCgkJJCh1c2VfZW5hYmxlICFtaW5pbWFsIHhuZXN0KQoJCSQo dXNlX2VuYWJsZSBkcmkpCgkJJCh1c2VfZW5hYmxlIHhwcmludCkKCQktLXdpdGgtbWVzYS1zb3Vy Y2U9JHtXT1JLRElSfS8ke01FU0FfUH0KCQktLWVuYWJsZS14b3JnCgkJLS1zeXNjb25mZGlyPS9l dGMvWDExCgkJLS1sb2NhbHN0YXRlZGlyPS92YXIKCQktLWVuYWJsZS1pbnN0YWxsLXNldHVpZAoJ CS0td2l0aC1kZWZhdWx0LWZvbnQtcGF0aD0vdXNyL3NoYXJlL2ZvbnRzL21pc2MsL3Vzci9zaGFy ZS9mb250cy83NWRwaSwvdXNyL3NoYXJlL2ZvbnRzLzEwMGRwaSwvdXNyL3NoYXJlL2ZvbnRzL1RU RiwvdXNyL3NoYXJlL2ZvbnRzL1R5cGUxIgoKCSMgKCMxMjEzOTQpIENhdXNlcyB3aW5kb3cgY29y cnVwdGlvbgoJZmlsdGVyLWZsYWdzIC1md2ViCn0KCnNyY19pbnN0YWxsKCkgewoJeC1tb2R1bGFy X3NyY19pbnN0YWxsCgoJZHluYW1pY19saWJnbF9pbnN0YWxsCn0KCnBrZ19wb3N0aW5zdCgpIHsK CXN3aXRjaF9vcGVuZ2xfaW1wbGVtCn0KCnBrZ19wb3N0cm0oKSB7CgkjIEdldCByaWQgb2YgbW9k dWxlIGRpciB0byBlbnN1cmUgb3BlbmdsLXVwZGF0ZSB3b3JrcyBwcm9wZXJseQoJaWYgISBoYXNf dmVyc2lvbiB4MTEtYmFzZS94b3JnLXNlcnZlcjsgdGhlbgoJCWlmIFsgLWUgJHtST09UfS91c3Iv JChnZXRfbGliZGlyKS94b3JnL21vZHVsZXMgXTsgdGhlbgoJCQlybSAtcmYgJHtST09UfS91c3Iv JChnZXRfbGliZGlyKS94b3JnL21vZHVsZXMKCQlmaQoJZmkKfQoKZHluYW1pY19saWJnbF9pbnN0 YWxsKCkgewoJIyBuZXh0IHNlY3Rpb24gaXMgdG8gc2V0dXAgdGhlIGR5bmFtaWMgbGliR0wgc3R1 ZmYKCWViZWdpbiAiTW92aW5nIEdMIGZpbGVzIGZvciBkeW5hbWljIHN3aXRjaGluZyIKCQlkb2Rp ciAvdXNyLyQoZ2V0X2xpYmRpcikvb3BlbmdsLyR7T1BFTkdMX0RJUn0vZXh0ZW5zaW9ucwoJCWxv Y2FsIHg9IiIKCQlmb3IgeCBpbiAke0R9L3Vzci8kKGdldF9saWJkaXIpL3hvcmcvbW9kdWxlcy9l eHRlbnNpb25zL2xpYmdseCo7IGRvCgkJCWlmIFsgLWYgJHt4fSAtbyAtTCAke3h9IF07IHRoZW4K CQkJCW12IC1mICR7eH0gJHtEfS91c3IvJChnZXRfbGliZGlyKS9vcGVuZ2wvJHtPUEVOR0xfRElS fS9leHRlbnNpb25zCgkJCWZpCgkJZG9uZQoJZWVuZCAwCn0KCnN3aXRjaF9vcGVuZ2xfaW1wbGVt KCkgewoJCSMgU3dpdGNoIHRvIHRoZSB4b3JnIGltcGxlbWVudGF0aW9uLgoJCSMgVXNlIG5ldyBv cGVuZ2wtdXBkYXRlIHRoYXQgd2lsbCBub3QgcmVzZXQgdXNlciBzZWxlY3RlZAoJCSMgT3BlbkdM IGludGVyZmFjZSAuLi4KCQllY2hvCgkJZXNlbGVjdCBvcGVuZ2wgc2V0IC0tdXNlLW9sZCAke09Q RU5HTF9ESVJ9Cn0K