summaryrefslogtreecommitdiff
blob: c55cf93497f5f222fbaebb9f8ec8d3a51df051c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200608-25">
  <title>X.org and some X.org libraries: Local privilege escalations</title>
  <synopsis>
    X.org, libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm are vulnerable
    to local privilege escalations because of unchecked setuid() calls.
  </synopsis>
  <product type="ebuild">xorg-x11,xorg-server,xtrans,xload,xinit,xterm,xf86dga,xdm,libX11</product>
  <announced>2006-08-28</announced>
  <revised count="02">2006-12-13</revised>
  <bug>135974</bug>
  <access>local</access>
  <affected>
    <package name="x11-apps/xdm" auto="yes" arch="*">
      <unaffected range="ge">1.0.4-r1</unaffected>
      <vulnerable range="lt">1.0.4-r1</vulnerable>
    </package>
    <package name="x11-apps/xinit" auto="yes" arch="*">
      <unaffected range="ge">1.0.2-r6</unaffected>
      <vulnerable range="lt">1.0.2-r6</vulnerable>
    </package>
    <package name="x11-apps/xload" auto="yes" arch="*">
      <unaffected range="ge">1.0.1-r1</unaffected>
      <vulnerable range="lt">1.0.1-r1</vulnerable>
    </package>
    <package name="x11-apps/xf86dga" auto="yes" arch="*">
      <unaffected range="ge">1.0.1-r1</unaffected>
      <vulnerable range="lt">1.0.1-r1</vulnerable>
    </package>
    <package name="x11-base/xorg-x11" auto="yes" arch="*">
      <unaffected range="rge">6.8.2-r8</unaffected>
      <unaffected range="ge">6.9.0-r2</unaffected>
      <vulnerable range="lt">6.9.0-r2</vulnerable>
    </package>
    <package name="x11-base/xorg-server" auto="yes" arch="*">
      <unaffected range="rge">1.0.2-r6</unaffected>
      <unaffected range="ge">1.1.0-r1</unaffected>
      <vulnerable range="lt">1.1.0-r1</vulnerable>
    </package>
    <package name="x11-libs/libx11" auto="yes" arch="*">
      <unaffected range="ge">1.0.1-r1</unaffected>
      <vulnerable range="lt">1.0.1-r1</vulnerable>
    </package>
    <package name="x11-libs/xtrans" auto="yes" arch="*">
      <unaffected range="ge">1.0.0-r1</unaffected>
      <vulnerable range="lt">1.0.0-r1</vulnerable>
    </package>
    <package name="x11-terms/xterm" auto="yes" arch="*">
      <unaffected range="ge">215</unaffected>
      <vulnerable range="lt">215</vulnerable>
    </package>
    <package name="app-emulation/emul-linux-x86-xlibs" auto="yes" arch="amd64">
      <unaffected range="ge">7.0-r2</unaffected>
      <vulnerable range="lt">7.0-r2</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    X.org is an implementation of the X Window System.
    </p>
  </background>
  <description>
    <p>
    Several X.org libraries and X.org itself contain system calls to
    set*uid() functions, without checking their result.
    </p>
  </description>
  <impact type="high">
    <p>
    Local users could deliberately exceed their assigned resource limits
    and elevate their privileges after an unsuccessful set*uid() system
    call. This requires resource limits to be enabled on the machine.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All X.Org xdm users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-apps/xdm-1.0.4-r1"</code>
    <p>
    All X.Org xinit users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-apps/xinit-1.0.2-r6"</code>
    <p>
    All X.Org xload users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-apps/xload-1.0.1-r1"</code>
    <p>
    All X.Org xf86dga users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-apps/xf86dga-1.0.1-r1"</code>
    <p>
    All X.Org users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-base/xorg-x11-6.9.0-r2"</code>
    <p>
    All X.Org X servers users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-base/xorg-server-1.1.0-r1"</code>
    <p>
    All X.Org X11 library users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-libs/libx11-1.0.1-r1"</code>
    <p>
    All X.Org xtrans library users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-libs/xtrans-1.0.1-r1"</code>
    <p>
    All xterm users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=x11-terms/xterm-215"</code>
    <p>
    All users of the X11R6 libraries for emulation of 32bit x86 on amd64
    should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose "&gt;=app-emulation/emul-linux-x86-xlibs-7.0-r2"</code>
    <p>
    Please note that the fixed packages have been available for most
    architectures since June 30th but the GLSA release was held up waiting
    for the remaining architectures.
    </p>
  </resolution>
  <references>
    <uri link="https://lists.freedesktop.org/archives/xorg/2006-June/016146.html">X.Org security advisory</uri>
    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447">CVE-2006-4447</uri>
  </references>
  <metadata tag="requester" timestamp="2006-08-16T08:09:58Z">
    falco
  </metadata>
  <metadata tag="submitter" timestamp="2006-08-21T15:45:11Z">
    falco
  </metadata>
  <metadata tag="bugReady" timestamp="2006-08-23T20:02:52Z">
    falco
  </metadata>
</glsa>