Accepting request 311799 from home:michalsrb:branches:X11:XOrg

- U_os-support-new-implicit-local-user-access-mode.patch,
  U_xwayland-default-to-local-user-if-no-xauth-file-given.patch,
  U_xwayland-enable-access-control-on-open-socket.patch
  * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164)

OBS-URL: https://build.opensuse.org/request/show/311799
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=575

U_os-support-new-implicit-local-user-access-mode.patch

@@ -0,0 +1,245 @@
+Subject: os: support new implicit local user access mode
+Author: Ray Strode <rstrode@redhat.com>
+Path-mainline: Upstream
+Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538
+References: bnc#934102 CVE-2015-3164
+Signed-off-by: Michal Srb <msrb@suse.com>
+
+If the X server is started without a '-auth' argument, then
+it gets started wide open to all local users on the system.
+
+This isn't a great default access model, but changing it in
+Xorg at this point would break backward compatibility.
+
+Xwayland, on the other hand is new, and much more targeted
+in scope.  It could, in theory, be changed to allow the much
+more secure default of a "user who started X server can connect
+clients to that server."
+
+This commit paves the way for that change, by adding a mechanism
+for DDXs to opt-in to that behavior.  They merely need to call
+
+LocalAccessScopeUser()
+
+in their init functions.
+
+A subsequent commit will add that call for Xwayland.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/include/os.h b/include/os.h
+index 6638c84..b2b96c8 100644
+--- a/include/os.h
++++ b/include/os.h
+@@ -431,11 +431,28 @@ extern _X_EXPORT void
+ ResetHosts(const char *display);
+ 
+ extern _X_EXPORT void
++EnableLocalAccess(void);
++
++extern _X_EXPORT void
++DisableLocalAccess(void);
++
++extern _X_EXPORT void
+ EnableLocalHost(void);
+ 
+ extern _X_EXPORT void
+ DisableLocalHost(void);
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++extern _X_EXPORT void
++EnableLocalUser(void);
++
++extern _X_EXPORT void
++DisableLocalUser(void);
++
++extern _X_EXPORT void
++LocalAccessScopeUser(void);
++#endif
++
+ extern _X_EXPORT void
+ AccessUsingXdmcp(void);
+ 
+diff --git a/os/access.c b/os/access.c
+index 8fa028e..75e7a69 100644
+--- a/os/access.c
++++ b/os/access.c
+@@ -102,6 +102,10 @@ SOFTWARE.
+ #include <sys/ioctl.h>
+ #include <ctype.h>
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++#include <pwd.h>
++#endif
++
+ #if defined(TCPCONN) || defined(STREAMSCONN)
+ #include <netinet/in.h>
+ #endif                          /* TCPCONN || STREAMSCONN */
+@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
+ static int LocalHostRequested = FALSE;
+ static int UsingXdmcp = FALSE;
+ 
++static enum {
++    LOCAL_ACCESS_SCOPE_HOST = 0,
++#ifndef NO_LOCAL_CLIENT_CRED
++    LOCAL_ACCESS_SCOPE_USER,
++#endif
++} LocalAccessScope;
++
+ /* FamilyServerInterpreted implementation */
+ static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
+                         ClientPtr client);
+@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
+  */
+ 
+ void
++EnableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            EnableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            EnableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ EnableLocalHost(void)
+ {
+     if (!UsingXdmcp) {
+@@ -249,6 +275,21 @@ EnableLocalHost(void)
+  * called when authorization is enabled to keep us secure
+  */
+ void
++DisableLocalAccess(void)
++{
++    switch (LocalAccessScope) {
++        case LOCAL_ACCESS_SCOPE_HOST:
++            DisableLocalHost();
++            break;
++#ifndef NO_LOCAL_CLIENT_CRED
++        case LOCAL_ACCESS_SCOPE_USER:
++            DisableLocalUser();
++            break;
++#endif
++    }
++}
++
++void
+ DisableLocalHost(void)
+ {
+     HOST *self;
+@@ -262,6 +303,74 @@ DisableLocalHost(void)
+     }
+ }
+ 
++#ifndef NO_LOCAL_CLIENT_CRED
++static int GetLocalUserAddr(char **addr)
++{
++    static const char *type = "localuser";
++    static const char delimiter = '\0';
++    static const char *value;
++    struct passwd *pw;
++    int length = -1;
++
++    pw = getpwuid(getuid());
++
++    if (pw == NULL || pw->pw_name == NULL)
++        goto out;
++
++    value = pw->pw_name;
++
++    length = asprintf(addr, "%s%c%s", type, delimiter, value);
++
++    if (length == -1) {
++        goto out;
++    }
++
++    /* Trailing NUL */
++    length++;
++
++out:
++    return length;
++}
++
++void
++EnableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    NewHost(FamilyServerInterpreted, addr, length, TRUE);
++
++    free(addr);
++}
++
++void
++DisableLocalUser(void)
++{
++    char *addr = NULL;
++    int length = -1;
++
++    length = GetLocalUserAddr(&addr);
++
++    if (length == -1)
++        return;
++
++    RemoveHost(NULL, FamilyServerInterpreted, length, addr);
++
++    free(addr);
++}
++
++void
++LocalAccessScopeUser(void)
++{
++    LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
++}
++#endif
++
+ /*
+  * called at init time when XDMCP will be used; xdmcp always
+  * adds local hosts manually when needed
+diff --git a/os/auth.c b/os/auth.c
+index 5fcb538..7da6fc6 100644
+--- a/os/auth.c
++++ b/os/auth.c
+@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
+ 
+         /*
+          * If the authorization file has at least one entry for this server,
+-         * disable local host access. (loadauth > 0)
++         * disable local access. (loadauth > 0)
+          *
+          * If there are zero entries (either initially or when the
+          * authorization file is later reloaded), or if a valid
+-         * authorization file was never loaded, enable local host access.
++         * authorization file was never loaded, enable local access.
+          * (loadauth == 0 || !loaded)
+          *
+          * If the authorization file was loaded initially (with valid
+@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
+          */
+ 
+         if (loadauth > 0) {
+-            DisableLocalHost(); /* got at least one */
++            DisableLocalAccess(); /* got at least one */
+             loaded = TRUE;
+         }
+         else if (loadauth == 0 || !loaded)
+-            EnableLocalHost();
++            EnableLocalAccess();
+     }
+     if (name_length) {
+         for (i = 0; i < NUM_AUTHORIZATION; i++) {

U_xwayland-default-to-local-user-if-no-xauth-file-given.patch

@@ -0,0 +1,32 @@
+Subject: xwayland: default to local user if no xauth file given.
+Author: Ray Strode <rstrode@redhat.com>
+Path-mainline: Upstream
+Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451
+References: bnc#934102 CVE-2015-3164
+Signed-off-by: Michal Srb <msrb@suse.com>
+
+Right now if "-auth" isn't passed on the command line, we let
+any user on the system connect to the Xwayland server.
+
+That's clearly suboptimal, given Xwayland is generally designed
+to be used by one user at a time.
+
+This commit changes the behavior, so only the user who started the
+X server can connect clients to it.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index c5bee77..bc92beb 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
+     if (AddScreen(xwl_screen_init, argc, argv) == -1) {
+         FatalError("Couldn't add screen\n");
+     }
++
++    LocalAccessScopeUser();
+ }

U_xwayland-enable-access-control-on-open-socket.patch

@@ -0,0 +1,32 @@
+Subject: xwayland: Enable access control on open sockets
+Author: Ray Strode <rstrode@redhat.com>
+Path-mainline: Upstream
+Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588
+References: bnc#934102 CVE-2015-3164
+Signed-off-by: Michal Srb <msrb@suse.com>
+
+Xwayland currently allows wide-open access to the X sockets
+it listens on, ignoring Xauth access control.
+
+This commit makes sure to enable access control on the sockets,
+so one user can't snoop on another user's X-over-wayland
+applications.
+
+Signed-off-by: Ray Strode <rstrode@redhat.com>
+Reviewed-by: Daniel Stone <daniels@collabora.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
+index 7e8d667..c5bee77 100644
+--- a/hw/xwayland/xwayland.c
++++ b/hw/xwayland/xwayland.c
+@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
+     int i;
+ 
+     for (i = 0; i < xwl_screen->listen_fd_count; i++)
+-        ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
++        ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
+ }
+ 
+ static void

xorg-x11-server.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com
+
+- U_os-support-new-implicit-local-user-access-mode.patch,
+  U_xwayland-default-to-local-user-if-no-xauth-file-given.patch,
+  U_xwayland-enable-access-control-on-open-socket.patch
+  * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164)
+
 -------------------------------------------------------------------
 Mon Jun  8 15:21:18 UTC 2015 - antoine.belvire@laposte.net
 

xorg-x11-server.spec

@@ -168,6 +168,12 @@ Patch115:       N_Force-swcursor-for-KMS-drivers-without-hw-cursor-sup.patch
 Patch116:       U_os-XDMCP-options-like-query-etc-should-imply-listen.patch
 Patch117:       xorg-x11-server-byte-order.patch
 Patch118:       U_int10-Fix-error-check-for-pci_device_map_legacy.patch
+# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
+Patch119:       U_xwayland-enable-access-control-on-open-socket.patch
+# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
+Patch120:       U_os-support-new-implicit-local-user-access-mode.patch
+# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
+Patch121:       U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
 
 Patch1000:      n_xserver-optimus-autoconfig-hack.patch
 
@@ -265,6 +271,9 @@ cp %{SOURCE90} .
 %patch116 -p1
 %patch117 -p1
 %patch118 -p1
+%patch119 -p1
+%patch120 -p1
+%patch121 -p1
 
 %patch1000 -p1