xorg-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)
A flaw was found in xorg-x11-server before 1.20.3. An incorrect
permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their
privileges and run arbitrary code under root privileges.
Fixed In Version:
xorg-server 1.20.3
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
https://marc.info/?l=oss-security&m=154047832307726&w=2
Patch:
Introduced by:
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c
(1.19.0)
Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
(from redmine: issue id 9596, created on 2018-10-29, closed on 2018-10-30)
- Relations:
- copied_to #9597 (closed)
- child #9597 (closed)
- child #9598 (closed)
- child #9599 (closed)
- child #9600 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information