The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of X.Org: privilege elevation via setuid

Synthesis of the vulnerability

In some cases, programs of X.Org do not loose their root privileges.
Severity of this announce: 2/4.
Creation date: 27/07/2006.
Références of this computer vulnerability: CERTA-2006-AVI-454, CVE-2006-4447, DSA-1193-1, MDKSA-2006:160, VIGILANCE-VUL-6043.

Description of the vulnerability

The X.Org environment provide several tools which can be suid root: X server, xdm, xterm.

They call the setuid() function to loose their privileges. However, this function can fail (as described in VIGILANCE-VUL-807, or limiting the number of processes a user is allowed to run). As the error code is not checked, program continues to execute with root privileges.

This vulnerability therefore permits a local attacker to obtain root rights.
Full Vigil@nce bulletin... (Free trial)

This computer weakness announce impacts software or systems such as Debian, Mandriva Linux, XOrg Bundle ~ not comprehensive, libX11.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat

X.Org: patch for setuid.
A patch is available:
X.Org 6.8.2
http://www.freedesktop.org/releases/X11R6.8.2/patches/
MD5 (xorg-68x-setuid.patch) = 0ce4435659d13cb75e409e92639f22eb
SHA1 (xorg-68x-setuid.patch) = d00815d19152da84de6677fcae04e6d96ee5db70
X.Org 6.9.0
http://www.freedesktop.org/releases/X11R6.9.0/patches/
MD5 (x11r6.9.0-setuid.diff) = 8e95fc06109d44ac280431d9cd8b41c9
SHA1 (x11r6.9.0-setuid.diff) = e576d725dd5f8d6c70df4b024adeecc5f7f90dc6
X.Org 7.0
http://www.freedesktop.org/releases/X11R7.0/patches/
MD5 (x11r7.0-setuid.diff) = a336e7e01a0876ec182c90277ab3e6fe
SHA1 (x11r7.0-setuid.diff) = 16a6a1c4a3527390caf53a45f4718ef378c90c14
X.Org 7.1
http://www.freedesktop.org/releases/X11R7.1/patches/
MD5 (libX11-1.0.1-setuid.diff) = 4b14554b64e4a8b1ec3c2b85cb5199b6
SHA1 (libX11-1.0.1-setuid.diff) = 6e2b6a43d394a474b8b731abb8d811625845421c
MD5 (xtrans-1.0.0-setuid.diff) = a3704e53fae7249379d842f6e626423a
SHA1 (xtrans-1.0.0-setuid.diff) = 82b913fe5ec96fd55afb8356ae338b90ed0f179b
MD5 (xorg-xserver-1.1.0-setuid.diff) = bd7f9871a9142197b8f45ad09969c6c5
SHA1 (xorg-xserver-1.1.0-setuid.diff) =
e72b50c6434d429abaf0c13d9e78e1d467579fe9
MD5 (xdm-1.0.4-setuid.diff) = 24d467822a4dbf2f536ee419e0322f2d
SHA1 (xdm-1.0.4-setuid.diff) = 5b33a136ceffd40230fb65bf3cc635f8fc84e279
MD5 (xf86dga-1.0.1-setuid.diff) = 2a07eebe5796a86f307f9c1a3d0a2fa0
SHA1 (xf86dga-1.0.1-setuid.diff) = 4f184e186b280792878ec9118181067de7339f96
MD5 (xinit-1.0.2-setuid.diff) = 1377016ad0dd0e127419e4452d66a8ef
SHA1 (xinit-1.0.2-setuid.diff) = 816fa2fea8dbc1479ed594dace6281538de5e0ad
MD5 (xload-1.0.1-setuid.diff) = 9813ecc6d82157d1e5d19cf265af6ff9
SHA1 (xload-1.0.1-setuid.diff) = b14a6f911c2043052aa5006f3146fc5534705c2f

Debian: new XFree86 packages.
New packages are available:
  AMD64 architecture:
    http://security.debian.org/pool/updates/main/x/xfree86/*_4.3.0.dfsg.1-14sarge2_amd64.deb
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/x/xfree86/*_4.3.0.dfsg.1-14sarge2_i386.deb
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/x/xfree86/*_4.3.0.dfsg.1-14sarge2_ia64.deb

Mandriva: new xorg-x11 packages.
New packages are available:
 
 Mandriva Linux 2006.0:
 dcb20582a5065744de4726c9f766ae39 2006.0/RPMS/libxorg-x11-6.9.0-5.9.20060mdk.i586.rpm
 bcd556a24ed3414007cd2c735725d811 2006.0/RPMS/libxorg-x11-devel-6.9.0-5.9.20060mdk.i586.rpm
 fdd48d3aabf17504715b0ac77c518ef1 2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.9.20060mdk.i586.rpm
 d31780e9e640e1c2e52907c61c7741d6 2006.0/RPMS/X11R6-contrib-6.9.0-5.9.20060mdk.i586.rpm
 58b0659c5e161f4eac7c6c3d57b9a5a4 2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.9.20060mdk.i586.rpm
 ce4099426bf78152f8cce916d991bf31 2006.0/RPMS/xorg-x11-6.9.0-5.9.20060mdk.i586.rpm
 c5c5d881ec4fa25712c04bf858cafdae 2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.9.20060mdk.i586.rpm
 47eebf4341d36377595d275d494884ce 2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.9.20060mdk.i586.rpm
 d8c47f18ededd363aa7999ac9c74e525 2006.0/RPMS/xorg-x11-doc-6.9.0-5.9.20060mdk.i586.rpm
 df35175ad9cfdaa619fc855e2a305872 2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.9.20060mdk.i586.rpm
 782083d15ac2cf99b72e8884b1ad9f69 2006.0/RPMS/xorg-x11-server-6.9.0-5.9.20060mdk.i586.rpm
 7dce0242f2493bda5e566079eeb26ddb 2006.0/RPMS/xorg-x11-xauth-6.9.0-5.9.20060mdk.i586.rpm
 788887873c6781f4d04d4c22f15584f2 2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.9.20060mdk.i586.rpm
 ec74ddd837416045280a14fea9bc1ee5 2006.0/RPMS/xorg-x11-xfs-6.9.0-5.9.20060mdk.i586.rpm
 51f267b6f8eb58c1df9a3f91c3b31b99 2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.9.20060mdk.i586.rpm
 42d8a58fd96c62f4a5c01fcefc2c1875 2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.9.20060mdk.i586.rpm
 2d0f23a6896a459cdb1da2f1898ec81a 2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.9.20060mdk.i586.rpm
 47cc5a6fd1eecb2679b5a623b9ddfe64 2006.0/SRPMS/xorg-x11-6.9.0-5.9.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 ee089c7507299169663a4bccfe4be6c7 x86_64/2006.0/RPMS/lib64xorg-x11-6.9.0-5.9.20060mdk.x86_64.rpm
 2e7fd06ccb6313acca657a3e68c3ce35 x86_64/2006.0/RPMS/lib64xorg-x11-devel-6.9.0-5.9.20060mdk.x86_64.rpm
 3c873467b4813cf3d500860501f2f45a x86_64/2006.0/RPMS/lib64xorg-x11-static-devel-6.9.0-5.9.20060mdk.x86_64.rpm
 796e0bfbd979cef4675492ed4dcfa0bc x86_64/2006.0/RPMS/X11R6-contrib-6.9.0-5.9.20060mdk.x86_64.rpm
 ce13145b02fc3c8f69e718e91d2db266 x86_64/2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.9.20060mdk.x86_64.rpm
 cfc9452bf907155f60ed8b6815f790ac x86_64/2006.0/RPMS/xorg-x11-6.9.0-5.9.20060mdk.x86_64.rpm
 f847dce08140455962c2797bdcfe94f2 x86_64/2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.9.20060mdk.x86_64.rpm
 5a1ce6b27ecc1bd8a02ade0bf5e8742d x86_64/2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.9.20060mdk.x86_64.rpm
 a96fa59b6ee367d006b83e8f1108f65e x86_64/2006.0/RPMS/xorg-x11-doc-6.9.0-5.9.20060mdk.x86_64.rpm
 b84fd79cc72a3f66840ec0549f379723 x86_64/2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.9.20060mdk.x86_64.rpm
 8f22f5468a07abbc3bf60f93a85997a1 x86_64/2006.0/RPMS/xorg-x11-server-6.9.0-5.9.20060mdk.x86_64.rpm
 f7c04028cf16bf87b6a91e5099c202f7 x86_64/2006.0/RPMS/xorg-x11-xauth-6.9.0-5.9.20060mdk.x86_64.rpm
 b34e978f93bb8b219d83267abac98674 x86_64/2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.9.20060mdk.x86_64.rpm
 fed4590b44f0b59fe78b41fefedc1891 x86_64/2006.0/RPMS/xorg-x11-xfs-6.9.0-5.9.20060mdk.x86_64.rpm
 25d83c3b26e0a429ea9a0dca889af6f0 x86_64/2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.9.20060mdk.x86_64.rpm
 a466543fca0e43341d993d70f458f2ee x86_64/2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.9.20060mdk.x86_64.rpm
 8b63d5f0768bda693408d25d1b121e46 x86_64/2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.9.20060mdk.x86_64.rpm
 47cc5a6fd1eecb2679b5a623b9ddfe64 x86_64/2006.0/SRPMS/xorg-x11-6.9.0-5.9.20060mdk.src.rpm
 Corporate 3.0:
 a9450f3155f8823499fe957c2dd5482a corporate/3.0/RPMS/libxfree86-4.3-32.7.C30mdk.i586.rpm
 dfa43f7a45a823527c0009f501c85041 corporate/3.0/RPMS/libxfree86-devel-4.3-32.7.C30mdk.i586.rpm
 8679c26c2afc856d6b015ac1f732c999 corporate/3.0/RPMS/libxfree86-static-devel-4.3-32.7.C30mdk.i586.rpm
 f28232feaf28bc7ad8f8ef8347dbb6a9 corporate/3.0/RPMS/X11R6-contrib-4.3-32.7.C30mdk.i586.rpm
 f3c7a17ff728d8b47747e53ac757f444 corporate/3.0/RPMS/XFree86-100dpi-fonts-4.3-32.7.C30mdk.i586.rpm
 50ca357364f011b414b4f66630e674b7 corporate/3.0/RPMS/XFree86-4.3-32.7.C30mdk.i586.rpm
 df154521f2fbe721b93b6d1ad3a3eb9b corporate/3.0/RPMS/XFree86-75dpi-fonts-4.3-32.7.C30mdk.i586.rpm
 dd806dd6b8ab801a44df03c1d9d6f66f corporate/3.0/RPMS/XFree86-cyrillic-fonts-4.3-32.7.C30mdk.i586.rpm
 281882ee8ec4f6798e3fec2c075b0d8e corporate/3.0/RPMS/XFree86-doc-4.3-32.7.C30mdk.i586.rpm
 d4d1a7c34ce535915fdfc31ee2fe1f7f corporate/3.0/RPMS/XFree86-glide-module-4.3-32.7.C30mdk.i586.rpm
 75994a655bfe6e08b979a68972f6e51c corporate/3.0/RPMS/XFree86-server-4.3-32.7.C30mdk.i586.rpm
 f1057204fca95decacdfe85a6b8c5906 corporate/3.0/RPMS/XFree86-xfs-4.3-32.7.C30mdk.i586.rpm
 c71dfaa88405aecc32fcabe47e1c53af corporate/3.0/RPMS/XFree86-Xnest-4.3-32.7.C30mdk.i586.rpm
 9cbc4bf866de30681b7fb0cb4614a06d corporate/3.0/RPMS/XFree86-Xvfb-4.3-32.7.C30mdk.i586.rpm
 c753f021aa04063be981ad656072b615 corporate/3.0/SRPMS/XFree86-4.3-32.7.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 48112a9314130b94a6c94c0543ea13de x86_64/corporate/3.0/RPMS/lib64xfree86-4.3-32.7.C30mdk.x86_64.rpm
 8dd0ede32cdbb8edf8a5485052a0a6f1 x86_64/corporate/3.0/RPMS/lib64xfree86-devel-4.3-32.7.C30mdk.x86_64.rpm
 4f87c1f85b61d34ec778b57f33113598 x86_64/corporate/3.0/RPMS/lib64xfree86-static-devel-4.3-32.7.C30mdk.x86_64.rpm
 ea4b88d183e635016c2c0dc1e32618b5 x86_64/corporate/3.0/RPMS/X11R6-contrib-4.3-32.7.C30mdk.x86_64.rpm
 a88f094df62055d0f507de22931cd076 x86_64/corporate/3.0/RPMS/XFree86-100dpi-fonts-4.3-32.7.C30mdk.x86_64.rpm
 43ff4255335fd98864614d57ee6abfd5 x86_64/corporate/3.0/RPMS/XFree86-4.3-32.7.C30mdk.x86_64.rpm
 1517b72ee57688326bde5b7041b0312f x86_64/corporate/3.0/RPMS/XFree86-75dpi-fonts-4.3-32.7.C30mdk.x86_64.rpm
 9fcee06cbffe64bcca20c94d295b02d8 x86_64/corporate/3.0/RPMS/XFree86-cyrillic-fonts-4.3-32.7.C30mdk.x86_64.rpm
 f1712867f17668e3de3664c16284cde6 x86_64/corporate/3.0/RPMS/XFree86-doc-4.3-32.7.C30mdk.x86_64.rpm
 17cf639b7aa1fcd153b6f7c85c77b401 x86_64/corporate/3.0/RPMS/XFree86-server-4.3-32.7.C30mdk.x86_64.rpm
 b7377bcb482b977684e60c5cb473d513 x86_64/corporate/3.0/RPMS/XFree86-xfs-4.3-32.7.C30mdk.x86_64.rpm
 67491c7d711c1abcfd746c1f4d4c99b1 x86_64/corporate/3.0/RPMS/XFree86-Xnest-4.3-32.7.C30mdk.x86_64.rpm
 d66e63dce8c577ea71eaa44f638f2a5e x86_64/corporate/3.0/RPMS/XFree86-Xvfb-4.3-32.7.C30mdk.x86_64.rpm
 c753f021aa04063be981ad656072b615 x86_64/corporate/3.0/SRPMS/XFree86-4.3-32.7.C30mdk.src.rpm
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability watch. The technology watch team tracks security threats targeting the computer system.