Submitted By: Dan Nicholson Date: 2006-08-06 Initial Package Version: 1.1.0 Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ and http://gitweb.freedesktop.org/?p=xorg-xserver;a=commit;h=50a3e1ad18c815a5adafee22beccdf970bae62d6 Upstream Status: Applied Description: Fixes a security vulnerability. See the following advisory: http://lists.freedesktop.org/archives/xorg/2006-June/016146.html diff -pNur xorg-server-1.1.0.orig/hw/xfree86/common/xf86Init.c xorg-server-1.1.0/hw/xfree86/common/xf86Init.c --- xorg-server-1.1.0.orig/hw/xfree86/common/xf86Init.c 2006-05-09 18:04:19.000000000 +0000 +++ xorg-server-1.1.0/hw/xfree86/common/xf86Init.c 2006-08-07 01:39:58.000000000 +0000 @@ -1905,7 +1905,11 @@ xf86RunVtInit(void) FatalError("xf86RunVtInit: fork failed (%s)\n", strerror(errno)); break; case 0: /* child */ - setuid(getuid()); + if (setuid(getuid()) == -1) { + xf86Msg(X_ERROR, "xf86RunVtInit: setuid failed (%s)\n", + strerror(errno)); + exit(255); + } /* set stdin, stdout to the consoleFd */ for (i = 0; i < 2; i++) { if (xf86Info.consoleFd != i) { diff -pNur xorg-server-1.1.0.orig/hw/xfree86/os-support/shared/libc_wrapper.c xorg-server-1.1.0/hw/xfree86/os-support/shared/libc_wrapper.c --- xorg-server-1.1.0.orig/hw/xfree86/os-support/shared/libc_wrapper.c 2006-03-25 19:52:04.000000000 +0000 +++ xorg-server-1.1.0/hw/xfree86/os-support/shared/libc_wrapper.c 2006-08-07 01:39:58.000000000 +0000 @@ -1270,7 +1270,10 @@ xf86execl(const char *pathname, const ch #ifndef SELF_CONTAINED_WRAPPER xf86DisableIO(); #endif - setuid(getuid()); + if (setuid(getuid()) == -1) { + ErrorF("xf86Execl: setuid() failed: %s\n", strerror(errno)); + exit(255); + } #if !defined(SELF_CONTAINED_WRAPPER) /* set stdin, stdout to the consoleFD, and leave stderr alone */ for (i = 0; i < 2; i++) diff -pNur xorg-server-1.1.0.orig/hw/xfree86/parser/write.c xorg-server-1.1.0/hw/xfree86/parser/write.c --- xorg-server-1.1.0.orig/hw/xfree86/parser/write.c 2005-07-03 07:01:37.000000000 +0000 +++ xorg-server-1.1.0/hw/xfree86/parser/write.c 2006-08-07 01:41:41.000000000 +0000 @@ -170,7 +170,10 @@ xf86writeConfigFile (const char *filenam strerror(errno)); return 0; case 0: /* child */ - setuid(getuid()); + if (setuid(getuid()) == -1) + FatalError("xf86writeConfigFile(): " + "setuid failed(%s)\n", + strerror(errno)); ret = doWriteConfigFile(filename, cptr); exit(ret); break; diff -pNur xorg-server-1.1.0.orig/os/utils.c xorg-server-1.1.0/os/utils.c --- xorg-server-1.1.0.orig/os/utils.c 2006-03-25 19:52:05.000000000 +0000 +++ xorg-server-1.1.0/os/utils.c 2006-08-07 01:39:58.000000000 +0000 @@ -1721,8 +1721,10 @@ System(char *command) case -1: /* error */ p = -1; case 0: /* child */ - setgid(getgid()); - setuid(getuid()); + if (setgid(getgid()) == -1) + _exit(127); + if (setuid(getuid()) == -1) + _exit(127); execl("/bin/sh", "sh", "-c", command, (char *)NULL); _exit(127); default: /* parent */ @@ -1773,8 +1775,10 @@ Popen(char *command, char *type) xfree(cur); return NULL; case 0: /* child */ - setgid(getgid()); - setuid(getuid()); + if (setgid(getgid()) == -1) + _exit(127); + if (setuid(getuid()) == -1) + _exit(127); if (*type == 'r') { if (pdes[1] != 1) { /* stdout */ @@ -1848,8 +1852,10 @@ Fopen(char *file, char *type) xfree(cur); return NULL; case 0: /* child */ - setgid(getgid()); - setuid(getuid()); + if (setgid(getgid()) == -1) + _exit(127); + if (setuid(getuid()) == -1) + _exit(127); if (*type == 'r') { if (pdes[1] != 1) { /* stdout */