Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551680 (CVE-2015-3164) - <x11-base/xorg-server[wayland]-1.16.4-r3: Missing authentication in XWayland (CVE-2015-3164)
Summary: <x11-base/xorg-server[wayland]-1.16.4-r3: Missing authentication in XWayland ...
Status: RESOLVED FIXED
Alias: CVE-2015-3164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://lists.freedesktop.org/archives...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on: 559062
Blocks:
  Show dependency tree
 
Reported: 2015-06-10 15:58 UTC by Manuel Rüger (RETIRED)
Modified: 2017-01-25 13:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2015-06-10 15:58:37 UTC
X.Org/Wayland Security Advisory: June 10th, 2015 - CVE-2015-3164
Unauthorised local client access in XWayland
============================================

Description:
============

Ray Strode, a developer at Red Hat, discovered an authentication setup
issue inside the XWayland compatibility server, used to host X11 clients
inside a Wayland compositor's session. XWayland is used by Weston and
Mutter / GNOME Shell's Wayland mode.

Due to an omission in authentication setup, the XWayland server would
start up in non-authenticating mode, meaning that any client with access
to the server's UNIX socket was able to connect to the server and use it
as a regular client. No Wayland compositor was known to start XWayland
with TCP access open, so remote exploitation is not considered possible.

On many systems, all local users would have full access to the XWayland
server, allowing untrusted users to capture contents of, and input
destined for, other X11 clients.

This permission bypass does not extend to native Wayland clients:
XWayland is not given access to the buffers of any Wayland clients in
the host session, nor is any input sent to XWayland unless an X11
client was active at that time.

The resolution was to restrict XWayland connections to the same UID as
the server itself, matching Wayland's default permissions.

This vulnerability has been assigned CVE-2015-3164.


Affected versions:
==================

The separate XWayland DDX was introduced with version 1.16 of the X.Org
Server release, and this vulnerability has been present in all versions
since. Versions prior to these releases used a separate 'xwayland'
module within the Xorg DDX, which is unaffected by this vulnerability.

All Weston versions since 1.5.0 use the new Xwayland server, as well as
all released Wayland versions of Mutter / GNOME Shell.


Fixes:
======

Fixes are available in the patches for these X server git commits:
        c4534a38b68aa07fb82318040dc8154fb48a9588
        4b4b9086d02b80549981d205fb1f495edc373538
        76636ac12f2d1dbdf7be08222f80e7505d53c451

Which are now available from:
        git://anongit.freedesktop.org/git/xorg/xserver
        http://cgit.freedesktop.org/xorg/xserver/

Fixes will also be included in the 1.18 series and its release candidates,
as well as the 1.17.2 stable release.

Thanks:
=======

X.Org and the Wayland community thank Ray Strode of Red Hat for reporting
these issues to our security team and developing the fixes.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-06-11 17:08:26 UTC
Relevant upstream commits:

http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a38b68aa07fb82318040dc8154fb48a9588
http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b9086d02b80549981d205fb1f495edc373538
http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac12f2d1dbdf7be08222f80e7505d53c451

This affects xorg-server-1.16 and newer when built with USE="wayland". Older versions are not affected.
Comment 2 jospezial 2015-06-17 12:59:42 UTC
http://lists.x.org/archives/xorg-announce/2015-June/002614.html

[ANNOUNCE] xorg-server 1.17.2

This picks up a pile of fixes from master.  Notable highlights:

- Fix for CVE-2015-3164 in Xwayland
- Fix int10 setup for vesa
- Fix regression in server-interpreted auth
- Fix fb setup on big-endian CPUs
- Build fix for for gcc5

Complete changelog:

Aaron Plattner (2):
      xfree86: Fix xf86_check_platform_slot's handling of PCI
      xfree86: Add GPU screens even if there are no active GDevs

Adam Jackson (1):
      xserver 1.17.2

Adel Gadllah (1):
      modesetting: Fix software cursor fallback

Alan Coopersmith (2):
      Clear ListenTransConns entries in CloseWellKnownConnections
      Accept x86_64 as well as i*86 for $host_cpu in Solaris on x86

Brent Collins (1):
      shm: Fix xselinux resource initialization for xinerama pixmaps

Chris Wilson (2):
      shm: Fix use-after-free in ShmDestroyPixmap
      present: Copy unflip contents back to the Screen Pixmap

Colin Harrison (2):
      os/xdmcp.c: Include Xtrans.h when building for WIN32
      os/utils.c: Don't try to build os_move_fd() for WIN32

Dave Airlie (2):
      os/access: fix regression in server interpreted auth
      glamor: don't do render ops with matching source/dest (v2)

Dima Ryazanov (1):
      xwayland: Implement smooth scrolling

Egbert Eich (6):
      symbols: Fix sdksyms.sh to cope with gcc5
      Xephyr: Don't crash when no command line argument is specified
      Xephyr: Print default server display number if none is specified
      Xephyr: Fix compile when debugging is enabled
      Xephyr: Fix screen image draw for the non-Glamor & non-XHSM case
      Xephyr: Fix broken image when endianess of client machine and host-Xserver differ

Emil Velikov (2):
      randr: remove chatty error messages
      randr: use randr: prefix in ErrorF()

Hans de Goede (1):
      Re-enable non serverfd input devices immediately on vtenter

Jason Gerecke (2):
      xfree86: Return NULL from xf86CompatOutput if no compat_output is defined
      dix: Do not allow device transform to be set on valuatorless devices

Jon TURNEY (9):
      ephyr: Avoid a segfault with 'DISPLAY= Xephy -glamor'
      os: XDMCP options like -query etc. should imply -listen tcp
      os: Teach vpnprintf() how to handle "%*.*s"
      hw/xwin/glx: Refactor parsing of the <proto> XML element
      hw/xwin/glx: Improve code generator to deal with latest Khronos OpenGL registry XML
      hw/xwin: Report Cygwin version information in log
      glamor: Fix build when configured --enable-glamor --disable-xshmfence
      hw/xwin/winclipboard: Link xwinclip with -lpthread
      hw/xnest: Fix build for MinGW

Jonathan Gray (2):
      glamor: remove const from the return type of glamor_get_drawable_location()
      glamor: fix build when DRI3 is not defined

Jürg Billeter (1):
      int10: Fix error check for pci_device_map_legacy

Keith Packard (1):
      mi: Partial pie-slice filled arcs may need more space for spans

Maarten Lankhorst (4):
      glamor: only use (un)pack_subimage when available
      glamor: do not check for gl errors in glamor_build_program
      glamor: Use GL_FRAMEBUFFER instead of GL_READ_FRAMEBUFFER
      glamor: GL_TEXTURE_MAX_LEVEL is not available on GLES2

Michal Srb (1):
      Expose GetMaster to modules.

Michel Dänzer (2):
      Add AC_SYS_LARGEFILE defines to dix-config.h
      modesetting: Include dix-config.h from dumb_bo.c

Olivier Fourdan (4):
      ephyr: Fail if glamor is requested but not usable
      xwayland: Add dependency on glamor libs
      glamor: check max native ALU instructions
      dix: Fix image byte order on big endian hardware

Ray Strode (5):
      systemd-logind: filter out non-signal messages from message filter
      systemd-logind: don't second guess D-Bus default timeout
      xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]
      os: support new implicit local user access mode [CVE-2015-3164 2/3]
      xwayland: default to local user if no xauth file given. [CVE-2015-3164 3/3]

Robert Ancell (1):
      xwayland: Fix error strings

Rui Matos (2):
      dix/events: Set currentTime to the given time stamp in NoticeTime
      xwayland: Throttle our cursor surface updates with a frame callback

Vicente Olivert Riera (1):
      backtrace.c: Fix word cast to a pointer

git tag: xorg-server-1.17.2
Comment 3 jospezial 2015-06-17 13:01:08 UTC
renamed copy of xorg-server-1.17.1-r1.ebuild works
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 04:08:09 UTC
CVE-2015-3164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3164):
  The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts
  the server in non-authenticating mode, which allows local users to read from
  or send information to arbitrary X11 clients via vectors involving a UNIX
  socket.
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2015-07-10 18:28:30 UTC
1.17.2 in tree. The fixes should be probably ported back to the older versions in tree.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-10 18:44:49 UTC
Is it ready to go stable?
Comment 7 Joakim Tjernlund 2015-07-29 14:53:59 UTC
(In reply to Mikle Kolyada from comment #6)
> Is it ready to go stable?

Running 1.17.2 here with MATE and works fine.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 14:33:12 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.

Will call for stabilization on 8/15 if not done by then.
Comment 9 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-08-10 22:24:21 UTC
Before xorg-server-1.17.2 can go stable, a number of other packages need to go stable first. This is further complicated by the transition to new eselect-opengl.
Comment 10 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-09-03 16:00:05 UTC
xorg-server-1.16.4-r3 and xorg-server-1.16.4-r4 have been pushed to fix this issue.
Comment 11 David J Cozatt 2015-09-09 19:02:13 UTC
fwiw to elucidate on comment #9 in order to upgrade to xorg-xserver 1.17.2 on my machine I attempted the keywording necessary for my machine. All of the following were required

=x11-libs/libdrm-2.4.64 ~amd64
=x11-base/xorg-server-1.17.2 ~amd64
=media-libs/mesa-10.6.5        ~amd64
=x11-base/xorg-drivers-1.17    ~amd64
=x11-proto/glproto-1.4.17-r1   ~amd64
=app-eselect/eselect-opengl-1.3.1-r4  ~amd64

this was attempted and X then failed to start with startxfce4 or kdm
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-11-28 16:49:05 UTC
For 1.16 - Currently in the tree we have 1.16.4-r5. Are we ready to go stable with that version? 

1.17.4 is non stable if you encounter issues with it. 1.17.2 pushed the security fix for this issue. If you encounter any problems with any 1.17 versions please file another Bug.
Comment 13 Matt Turner gentoo-dev 2015-11-28 18:58:28 UTC
x11-base/xorg-server-1.16.4-r5 is being stabilized in bug 559062. Marking dependence.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-01-25 13:09:10 UTC
This issue was resolved and addressed in
 GLSA 201701-64 at https://security.gentoo.org/glsa/201701-64
by GLSA coordinator Thomas Deutschmann (whissi).