diff options
Diffstat (limited to 'fix-CVE-2015-3164.patch')
| -rw-r--r-- | fix-CVE-2015-3164.patch | 311 |
1 files changed, 0 insertions, 311 deletions
diff --git a/fix-CVE-2015-3164.patch b/fix-CVE-2015-3164.patch deleted file mode 100644 index e2ee1297323d..000000000000 --- a/fix-CVE-2015-3164.patch +++ /dev/null @@ -1,311 +0,0 @@ -From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001 -From: Ray Strode <rstrode@redhat.com> -Date: Tue, 5 May 2015 16:43:42 -0400 -Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3] - -Xwayland currently allows wide-open access to the X sockets -it listens on, ignoring Xauth access control. - -This commit makes sure to enable access control on the sockets, -so one user can't snoop on another user's X-over-wayland -applications. - -Signed-off-by: Ray Strode <rstrode@redhat.com> -Reviewed-by: Daniel Stone <daniels@collabora.com> -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Signed-off-by: Keith Packard <keithp@keithp.com> - -diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c -index 7e8d667..c5bee77 100644 ---- a/hw/xwayland/xwayland.c -+++ b/hw/xwayland/xwayland.c -@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen) - int i; - - for (i = 0; i < xwl_screen->listen_fd_count; i++) -- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE); -+ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE); - } - - static void --- -cgit v0.10.2 -From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001 -From: Ray Strode <rstrode@redhat.com> -Date: Tue, 5 May 2015 16:43:43 -0400 -Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3] - -If the X server is started without a '-auth' argument, then -it gets started wide open to all local users on the system. - -This isn't a great default access model, but changing it in -Xorg at this point would break backward compatibility. - -Xwayland, on the other hand is new, and much more targeted -in scope. It could, in theory, be changed to allow the much -more secure default of a "user who started X server can connect -clients to that server." - -This commit paves the way for that change, by adding a mechanism -for DDXs to opt-in to that behavior. They merely need to call - -LocalAccessScopeUser() - -in their init functions. - -A subsequent commit will add that call for Xwayland. - -Signed-off-by: Ray Strode <rstrode@redhat.com> -Reviewed-by: Daniel Stone <daniels@collabora.com> -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Signed-off-by: Keith Packard <keithp@keithp.com> - -diff --git a/include/os.h b/include/os.h -index 6638c84..b2b96c8 100644 ---- a/include/os.h -+++ b/include/os.h -@@ -431,11 +431,28 @@ extern _X_EXPORT void - ResetHosts(const char *display); - - extern _X_EXPORT void -+EnableLocalAccess(void); -+ -+extern _X_EXPORT void -+DisableLocalAccess(void); -+ -+extern _X_EXPORT void - EnableLocalHost(void); - - extern _X_EXPORT void - DisableLocalHost(void); - -+#ifndef NO_LOCAL_CLIENT_CRED -+extern _X_EXPORT void -+EnableLocalUser(void); -+ -+extern _X_EXPORT void -+DisableLocalUser(void); -+ -+extern _X_EXPORT void -+LocalAccessScopeUser(void); -+#endif -+ - extern _X_EXPORT void - AccessUsingXdmcp(void); - -diff --git a/os/access.c b/os/access.c -index 8fa028e..75e7a69 100644 ---- a/os/access.c -+++ b/os/access.c -@@ -102,6 +102,10 @@ SOFTWARE. - #include <sys/ioctl.h> - #include <ctype.h> - -+#ifndef NO_LOCAL_CLIENT_CRED -+#include <pwd.h> -+#endif -+ - #if defined(TCPCONN) || defined(STREAMSCONN) - #include <netinet/in.h> - #endif /* TCPCONN || STREAMSCONN */ -@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE; - static int LocalHostRequested = FALSE; - static int UsingXdmcp = FALSE; - -+static enum { -+ LOCAL_ACCESS_SCOPE_HOST = 0, -+#ifndef NO_LOCAL_CLIENT_CRED -+ LOCAL_ACCESS_SCOPE_USER, -+#endif -+} LocalAccessScope; -+ - /* FamilyServerInterpreted implementation */ - static Bool siAddrMatch(int family, void *addr, int len, HOST * host, - ClientPtr client); -@@ -237,6 +248,21 @@ static void siTypesInitialize(void); - */ - - void -+EnableLocalAccess(void) -+{ -+ switch (LocalAccessScope) { -+ case LOCAL_ACCESS_SCOPE_HOST: -+ EnableLocalHost(); -+ break; -+#ifndef NO_LOCAL_CLIENT_CRED -+ case LOCAL_ACCESS_SCOPE_USER: -+ EnableLocalUser(); -+ break; -+#endif -+ } -+} -+ -+void - EnableLocalHost(void) - { - if (!UsingXdmcp) { -@@ -249,6 +275,21 @@ EnableLocalHost(void) - * called when authorization is enabled to keep us secure - */ - void -+DisableLocalAccess(void) -+{ -+ switch (LocalAccessScope) { -+ case LOCAL_ACCESS_SCOPE_HOST: -+ DisableLocalHost(); -+ break; -+#ifndef NO_LOCAL_CLIENT_CRED -+ case LOCAL_ACCESS_SCOPE_USER: -+ DisableLocalUser(); -+ break; -+#endif -+ } -+} -+ -+void - DisableLocalHost(void) - { - HOST *self; -@@ -262,6 +303,74 @@ DisableLocalHost(void) - } - } - -+#ifndef NO_LOCAL_CLIENT_CRED -+static int GetLocalUserAddr(char **addr) -+{ -+ static const char *type = "localuser"; -+ static const char delimiter = '\0'; -+ static const char *value; -+ struct passwd *pw; -+ int length = -1; -+ -+ pw = getpwuid(getuid()); -+ -+ if (pw == NULL || pw->pw_name == NULL) -+ goto out; -+ -+ value = pw->pw_name; -+ -+ length = asprintf(addr, "%s%c%s", type, delimiter, value); -+ -+ if (length == -1) { -+ goto out; -+ } -+ -+ /* Trailing NUL */ -+ length++; -+ -+out: -+ return length; -+} -+ -+void -+EnableLocalUser(void) -+{ -+ char *addr = NULL; -+ int length = -1; -+ -+ length = GetLocalUserAddr(&addr); -+ -+ if (length == -1) -+ return; -+ -+ NewHost(FamilyServerInterpreted, addr, length, TRUE); -+ -+ free(addr); -+} -+ -+void -+DisableLocalUser(void) -+{ -+ char *addr = NULL; -+ int length = -1; -+ -+ length = GetLocalUserAddr(&addr); -+ -+ if (length == -1) -+ return; -+ -+ RemoveHost(NULL, FamilyServerInterpreted, length, addr); -+ -+ free(addr); -+} -+ -+void -+LocalAccessScopeUser(void) -+{ -+ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER; -+} -+#endif -+ - /* - * called at init time when XDMCP will be used; xdmcp always - * adds local hosts manually when needed -diff --git a/os/auth.c b/os/auth.c -index 5fcb538..7da6fc6 100644 ---- a/os/auth.c -+++ b/os/auth.c -@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length, - - /* - * If the authorization file has at least one entry for this server, -- * disable local host access. (loadauth > 0) -+ * disable local access. (loadauth > 0) - * - * If there are zero entries (either initially or when the - * authorization file is later reloaded), or if a valid -- * authorization file was never loaded, enable local host access. -+ * authorization file was never loaded, enable local access. - * (loadauth == 0 || !loaded) - * - * If the authorization file was loaded initially (with valid -@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length, - */ - - if (loadauth > 0) { -- DisableLocalHost(); /* got at least one */ -+ DisableLocalAccess(); /* got at least one */ - loaded = TRUE; - } - else if (loadauth == 0 || !loaded) -- EnableLocalHost(); -+ EnableLocalAccess(); - } - if (name_length) { - for (i = 0; i < NUM_AUTHORIZATION; i++) { --- -cgit v0.10.2 -From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001 -From: Ray Strode <rstrode@redhat.com> -Date: Tue, 5 May 2015 16:43:44 -0400 -Subject: xwayland: default to local user if no xauth file given. - [CVE-2015-3164 3/3] - -Right now if "-auth" isn't passed on the command line, we let -any user on the system connect to the Xwayland server. - -That's clearly suboptimal, given Xwayland is generally designed -to be used by one user at a time. - -This commit changes the behavior, so only the user who started the -X server can connect clients to it. - -Signed-off-by: Ray Strode <rstrode@redhat.com> -Reviewed-by: Daniel Stone <daniels@collabora.com> -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Signed-off-by: Keith Packard <keithp@keithp.com> - -diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c -index c5bee77..bc92beb 100644 ---- a/hw/xwayland/xwayland.c -+++ b/hw/xwayland/xwayland.c -@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv) - if (AddScreen(xwl_screen_init, argc, argv) == -1) { - FatalError("Couldn't add screen\n"); - } -+ -+ LocalAccessScopeUser(); - } --- -cgit v0.10.2 - |