Initial import, version 1.17.1-6

author: Mattias Andrée 2015-06-11 18:07:46 +0200
committer: Mattias Andrée 2015-06-11 18:07:46 +0200
commit: 04b9ce25138401ff00d21cd9a5615b073f44c142 (patch)
tree: 2965a268f808037f3248e801b98dfd8762bf89f2 /fix-CVE-2015-3164.patch
download: aur-04b9ce25138401ff00d21cd9a5615b073f44c142.tar.gz
1 files changed, 311 insertions, 0 deletions
diff --git a/fix-CVE-2015-3164.patch b/fix-CVE-2015-3164.patch
new file mode 100644
index 000000000000..e2ee1297323d
--- /dev/null
+++ b/fix-CVE-2015-3164.patch
@@ -0,0 +1,311 @@
+From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:42 -0400
+Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]
+
+Xwayland currently allows wide-open access to the X sockets
+it listens on, ignoring Xauth access control.
+
+This commit makes sure to enable access control on the sockets,
+so one user can't snoop on another user's X-over-wayland
+applications.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index 7e8d667..c5bee77 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
+     int i;
+ 
+     for (i = 0; i < xwl_screen->listen_fd_count; i++)
+-        ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
++        ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
+ }
+ 
+ static void
+-- 
+cgit v0.10.2
+From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:43 -0400
+Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3]
+
+If the X server is started without a '-auth' argument, then
+it gets started wide open to all local users on the system.
+
+This isn't a great default access model, but changing it in
+Xorg at this point would break backward compatibility.
+
+Xwayland, on the other hand is new, and much more targeted
+in scope.  It could, in theory, be changed to allow the much
+more secure default of a "user who started X server can connect
+clients to that server."
+
+This commit paves the way for that change, by adding a mechanism
+for DDXs to opt-in to that behavior.  They merely need to call
+
+LocalAccessScopeUser()
+
+in their init functions.
+
+A subsequent commit will add that call for Xwayland.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/include/os.h b/include/os.h
+index 6638c84..b2b96c8 100644
+--- a/include/os.h
++++ b/include/os.h
+@@ -431,11 +431,28 @@ extern _X_EXPORT void
+ ResetHosts(const char *display);
+ 
+ extern _X_EXPORT void
++EnableLocalAccess(void);
++
++extern _X_EXPORT void
++DisableLocalAccess(void);
++
++extern _X_EXPORT void
+ EnableLocalHost(void);
+ 
+ extern _X_EXPORT void
+ DisableLocalHost(void);
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++extern _X_EXPORT void
++EnableLocalUser(void);
++
++extern _X_EXPORT void
++DisableLocalUser(void);
++
++extern _X_EXPORT void
++LocalAccessScopeUser(void);
++#endif
++
+ extern _X_EXPORT void
+ AccessUsingXdmcp(void);
+ 
+diff --git a/os/access.c b/os/access.c
+index 8fa028e..75e7a69 100644
+--- a/os/access.c
++++ b/os/access.c
+@@ -102,6 +102,10 @@ SOFTWARE.
+ #include <sys/ioctl.h>
+ #include <ctype.h>
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++#include <pwd.h>
++#endif
++
+ #if defined(TCPCONN) || defined(STREAMSCONN)
+ #include <netinet/in.h>
+ #endif                          /* TCPCONN || STREAMSCONN */
+@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
+ static int LocalHostRequested = FALSE;
+ static int UsingXdmcp = FALSE;
+ 
++static enum {
++    LOCAL_ACCESS_SCOPE_HOST = 0,
++#ifndef NO_LOCAL_CLIENT_CRED
++    LOCAL_ACCESS_SCOPE_USER,
++#endif
++} LocalAccessScope;
++
+ /* FamilyServerInterpreted implementation */
+ static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
+                         ClientPtr client);
+@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
+  */
+ 
+ void
++EnableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            EnableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            EnableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ EnableLocalHost(void)
+ {
+     if (!UsingXdmcp) {
+@@ -249,6 +275,21 @@ EnableLocalHost(void)
+  * called when authorization is enabled to keep us secure
+  */
+ void
++DisableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            DisableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            DisableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ DisableLocalHost(void)
+ {
+     HOST *self;
+@@ -262,6 +303,74 @@ DisableLocalHost(void)
+     }
+ }
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++static int GetLocalUserAddr(char **addr)
++{
++    static const char *type = "localuser";
++    static const char delimiter = '\0';
++    static const char *value;
++    struct passwd *pw;
++    int length = -1;
++
++    pw = getpwuid(getuid());
++
++    if (pw == NULL || pw->pw_name == NULL)
++        goto out;
++
++    value = pw->pw_name;
++
++    length = asprintf(addr, "%s%c%s", type, delimiter, value);
++
++    if (length == -1) {
++        goto out;
++    }
++
++    /* Trailing NUL */
++    length++;
++
++out:
++    return length;
++}
++
++void
++EnableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    NewHost(FamilyServerInterpreted, addr, length, TRUE);
++
++    free(addr);
++}
++
++void
++DisableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    RemoveHost(NULL, FamilyServerInterpreted, length, addr);
++
++    free(addr);
++}
++
++void
++LocalAccessScopeUser(void)
++{
++    LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
++}
++#endif
++
+ /*
+  * called at init time when XDMCP will be used; xdmcp always
+  * adds local hosts manually when needed
+diff --git a/os/auth.c b/os/auth.c
+index 5fcb538..7da6fc6 100644
+--- a/os/auth.c
++++ b/os/auth.c
+@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
+ 
+         /*
+          * If the authorization file has at least one entry for this server,
+-         * disable local host access. (loadauth > 0)
++         * disable local access. (loadauth > 0)
+          *
+          * If there are zero entries (either initially or when the
+          * authorization file is later reloaded), or if a valid
+-         * authorization file was never loaded, enable local host access.
++         * authorization file was never loaded, enable local access.
+          * (loadauth == 0 || !loaded)
+          *
+          * If the authorization file was loaded initially (with valid
+@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
+          */
+ 
+         if (loadauth > 0) {
+-            DisableLocalHost(); /* got at least one */
++            DisableLocalAccess(); /* got at least one */
+             loaded = TRUE;
+         }
+         else if (loadauth == 0 || !loaded)
+-            EnableLocalHost();
++            EnableLocalAccess();
+     }
+     if (name_length) {
+         for (i = 0; i < NUM_AUTHORIZATION; i++) {
+-- 
+cgit v0.10.2
+From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Tue, 5 May 2015 16:43:44 -0400
+Subject: xwayland: default to local user if no xauth file given.
+ [CVE-2015-3164 3/3]
+
+Right now if "-auth" isn't passed on the command line, we let
+any user on the system connect to the Xwayland server.
+
+That's clearly suboptimal, given Xwayland is generally designed
+to be used by one user at a time.
+
+This commit changes the behavior, so only the user who started the
+X server can connect clients to it.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index c5bee77..bc92beb 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
+     if (AddScreen(xwl_screen_init, argc, argv) == -1) {
+         FatalError("Couldn't add screen\n");
+     }
++
++    LocalAccessScopeUser();
+ }
+-- 
+cgit v0.10.2
+
author	Mattias Andrée	2015-06-11 18:07:46 +0200
committer	Mattias Andrée	2015-06-11 18:07:46 +0200
commit	04b9ce25138401ff00d21cd9a5615b073f44c142 (patch)
tree	2965a268f808037f3248e801b98dfd8762bf89f2 /fix-CVE-2015-3164.patch
download	aur-04b9ce25138401ff00d21cd9a5615b073f44c142.tar.gz