Lucene search

CERTVU:300368

HistoryOct 25, 2006 - 12:00 a.m.

X.Org fails to check for setuid failure on Linux systems

2006-10-2500:00:00

www.kb.cert.org

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.1%

JSON

Overview

Programs distributed as part of the X.Org software distribution fail to properly handle test results for effective user ID. This vulnerability may lead to privilege escalation.

Description

Linux, like most Unix systems, provides a system call, setuid(), to set the effective user ID of a process. A vulnerability exists in X.Org versions 6.7.0 through 7.1 on systems where setuid() may fail, even when invoked by a process running as root. In reference to systems using the Linux 2.6 kernel, X.Org Security Advisory, June 20th, 2006 states:

This is because there is a ‘maximum processes’ ulimit, which is honoured by setuid(), seteuid(), and setgid(). These functions may fail because of this ulimit; if the return value is not checked, then code which is assumed to be running unprivileged, may in fact be running with uid 0.
This vulnerability is exposed on systems based on the Linux 2.6 kernel through any program supplied with the X.Org distribution that typically runs with elevated privileges (setuid to root), such as xterm, xdm, the X server, etc.

Impact

This vulnerability may allow an authenticated attacker to run arbitrary code with elevated privileges.

Solution

Upgrade or apply a patch from the vendor
Patches have been released to address this issue. See the systems affected section of this document for information about specific vendors. Users who compile the X.Org software distribution from source are encouraged to update to the most recent version.

Vendor Information

300368

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux __ Affected

Updated: October 12, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Debian Security Advisory dsa-1193.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23300368 Feedback>).

Gentoo Linux __ Affected

Updated: October 12, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Gentoo Security Advisory glsa-200608-25.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23300368 Feedback>).

Mandriva, Inc. __ Affected

Updated: October 12, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Mandriva Advisory MDKSA-2006:160.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23300368 Feedback>).

X.org Foundation __ Affected

Updated: October 25, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to X.Org Security Advisory, June 20th, 2006.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23300368 Feedback>).