debian/changelog

+xorg-server (2:1.19.2-1+deb9u4) stretch-security; urgency=medium
+
+  * Disable -logfile and -modulepath when running with elevated privileges.
+    Addresses CVE-2018-14665.
+
+ -- Julien Cristau <jcristau@debian.org>  Thu, 25 Oct 2018 11:19:09 +0200
+
 xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high
 
   * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)

debian/patches/02_kbsd-input-devd.diff

@@ -25,7 +25,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
 
 --- a/config/Makefile.am
 +++ b/config/Makefile.am
-@@ -34,6 +34,10 @@
+@@ -34,6 +34,10 @@ if CONFIG_WSCONS
  libconfig_la_SOURCES += wscons.c
  endif # CONFIG_WSCONS
  
@@ -38,7 +38,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
  endif # !CONFIG_UDEV
 --- a/config/config-backends.h
 +++ b/config/config-backends.h
-@@ -44,3 +44,8 @@
+@@ -44,3 +44,8 @@ void config_hal_fini(void);
  int config_wscons_init(void);
  void config_wscons_fini(void);
  #endif
@@ -49,7 +49,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
 +#endif
 --- a/config/config.c
 +++ b/config/config.c
-@@ -55,6 +55,9 @@
+@@ -55,6 +55,9 @@ config_init(void)
  #elif defined(CONFIG_WSCONS)
      if (!config_wscons_init())
          ErrorF("[config] failed to initialise wscons\n");
@@ -59,7 +59,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
  #endif
  }
  
-@@ -67,6 +70,8 @@
+@@ -67,6 +70,8 @@ config_fini(void)
      config_hal_fini();
  #elif defined(CONFIG_WSCONS)
      config_wscons_fini();
@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
 +}
 --- a/configure.ac
 +++ b/configure.ac
-@@ -627,6 +627,7 @@
+@@ -631,6 +631,7 @@ AC_ARG_ENABLE(dpms,           AS_HELP_ST
  AC_ARG_ENABLE(config-udev,    AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
  AC_ARG_ENABLE(config-udev-kms,    AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
  AC_ARG_ENABLE(config-hal,     AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
  AC_ARG_ENABLE(config-wscons,  AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
  AC_ARG_ENABLE(xfree86-utils,     AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
  AC_ARG_ENABLE(vgahw,          AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
-@@ -1017,6 +1018,21 @@
+@@ -1021,6 +1022,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
  	AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
  fi
  
@@ -478,7 +478,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
  
  AC_MSG_CHECKING([for glibc...])
  AC_PREPROC_IFELSE([AC_LANG_SOURCE([
-@@ -2566,7 +2582,7 @@
+@@ -2570,7 +2586,7 @@ AC_SUBST([prefix])
  
  AC_CONFIG_COMMANDS([sdksyms], [touch hw/xfree86/sdksyms.dep])
  
@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
               Neither HAL nor udev backend will be enabled.
 --- a/hw/xfree86/common/xf86Config.c
 +++ b/hw/xfree86/common/xf86Config.c
-@@ -1375,15 +1375,18 @@
+@@ -1375,15 +1375,18 @@ checkCoreInputDevices(serverLayoutPtr se
      }
  
      if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
                  "input devices.\n\tIf no devices become available, "
 --- a/hw/xfree86/common/xf86Globals.c
 +++ b/hw/xfree86/common/xf86Globals.c
-@@ -122,7 +122,8 @@
+@@ -122,7 +122,8 @@ xf86InfoRec xf86Info = {
      .pmFlag = TRUE,
      .disableRandR = FALSE,
      .randRFrom = X_DEFAULT,
@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
      .autoEnableDevices = TRUE,
 --- a/include/dix-config.h.in
 +++ b/include/dix-config.h.in
-@@ -445,6 +445,9 @@
+@@ -454,6 +454,9 @@
  /* Enable systemd-logind integration */
  #undef SYSTEMD_LOGIND 1
  

debian/patches/03_static-nettle.diff

@@ -4,7 +4,7 @@ There's no libnettle udeb.
 
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1725,7 +1725,7 @@ fi
+@@ -1695,7 +1695,7 @@ fi
  if test "x$with_sha1" = xlibnettle; then
  	AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
  	          [Use libnettle SHA1 functions])

debian/patches/11_xfree86-Disable-logfile-and-modulepath.patch

+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH xserver] Disable -logfile and -modulepath when running with elevated privileges.
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+--- xorg-server.orig/hw/xfree86/common/xf86Init.c
++++ xorg-server/hw/xfree86/common/xf86Init.c
+@@ -1134,14 +1134,18 @@ ddxProcessArgument(int argc, char **argv
+     /* First the options that are not allowed with elevated privileges */
+     if (!strcmp(argv[i], "-modulepath")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
++        if (xf86PrivsElevated())
++              FatalError("\nInvalid argument -modulepath "
++                "with elevated privileges\n");
+         xf86ModulePath = argv[i + 1];
+         xf86ModPathFrom = X_CMDLINE;
+         return 2;
+     }
+     if (!strcmp(argv[i], "-logfile")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
++        if (xf86PrivsElevated())
++              FatalError("\nInvalid argument -logfile "
++                "with elevated privileges\n");
+         xf86LogFile = argv[i + 1];
+         xf86LogFileFrom = X_CMDLINE;
+         return 2;

debian/patches/series

@@ -9,3 +9,4 @@
 08_Xi-Verify-all-events-in-ProcXSendExtensionEvent.patch
 09_Xi-Do-not-try-to-swap-GenericEvent.patch
 10_Xi-Zero-target-buffer-in-SProcXSendExtensionEvent.patch
+11_xfree86-Disable-logfile-and-modulepath.patch