xorg-server/patches/xorg-server-1.17.1-CVE-2015-3164.patch

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<title>svntogit/packages.git - Git clone of the 'packages' repository
</title>
<meta name='generator' content='cgit v0.10.2'/>
<meta name='robots' content='index, nofollow'/>
<link rel='stylesheet' type='text/css' href='/cgit.css'/>
<link rel='shortcut icon' href='/favicon.ico'/>
<link rel='alternate' title='Atom feed' href='https://projects.archlinux.org/svntogit/packages.git/atom/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server' type='application/atom+xml'/>
<link rel='vcs-git' href='git://projects.archlinux.org/svntogit/packages.git' title='svntogit/packages.git Git repository'/>
<link rel='vcs-git' href='http://projects.archlinux.org/git/svntogit/packages.git' title='svntogit/packages.git Git repository'/>
<link rel='vcs-git' href='https://projects.archlinux.org/git/svntogit/packages.git' title='svntogit/packages.git Git repository'/>
<link rel='vcs-git' href='ssh://gerolde.archlinux.org/srv/projects/git/svntogit/packages.git' title='svntogit/packages.git Git repository'/>
</head>
<body>
	<div id="archnavbar"><!-- Arch Linux global navigation bar -->
		<div id="archnavbarlogo">
			<p><a href="http://www.archlinux.org/" title="Arch news, packages, projects and more"></a></p>
		</div>
		<div id="archnavbarmenu">
			<ul id="archnavbarlist">
				<li id="anb-home"><a href="http://www.archlinux.org/" title="Arch news, packages, projects and more">Home</a></li>
				<li id="anb-packages"><a href="http://www.archlinux.org/packages/" title="Arch Package Database">Packages</a></li>
				<li id="anb-forums"><a href="https://bbs.archlinux.org/" title="Community forums">Forums</a></li>
				<li id="anb-wiki"><a href="https://wiki.archlinux.org/" title="Community documentation">Wiki</a></li>
				<li id="anb-bugs"><a href="https://bugs.archlinux.org/" title="Report and follow bugs">Bugs</a></li>
				<li id="anb-aur"><a href="https://aur.archlinux.org/" title="Arch Linux User Repository">AUR</a></li>
				<li id="anb-download"><a href="http://www.archlinux.org/download/" title="Get Arch Linux">Download</a></li>
			</ul>
		</div>
	</div><!-- #archnavbar -->
<div id='cgit'><table id='header'>
<tr>
<td class='main'><a href='/'>index</a> : <a title='svntogit/packages.git' href='/svntogit/packages.git/'>svntogit/packages.git</a></td></tr>
<tr><td class='sub'>Git clone of the 'packages' repository
</td><td class='sub right'></td></tr></table>
<table class='tabs'><tr><td>
<a href='/svntogit/packages.git/?h=packages/xorg-server'>summary</a><a href='/svntogit/packages.git/refs/?h=packages/xorg-server'>refs</a><a href='/svntogit/packages.git/log/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>log</a><a class='active' href='/svntogit/packages.git/tree/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>tree</a><a href='/svntogit/packages.git/commit/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>commit</a><a href='/svntogit/packages.git/diff/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>diff</a><a href='/svntogit/packages.git/stats/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>stats</a></td><td class='form'><form class='right' method='get' action='/svntogit/packages.git/log/trunk/fix-CVE-2015-3164.patch'>
<input type='hidden' name='h' value='packages/xorg-server'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='text' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/svntogit/packages.git/tree/?h=packages/xorg-server'>root</a>/<a href='/svntogit/packages.git/tree/trunk?h=packages/xorg-server'>trunk</a>/<a href='/svntogit/packages.git/tree/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>fix-CVE-2015-3164.patch</a></div><div class='content'>blob: e2ee1297323db4493e3babf9baf8f536463c61fb (<a href='/svntogit/packages.git/plain/trunk/fix-CVE-2015-3164.patch?h=packages/xorg-server'>plain</a>)
<table summary='blob content' class='blob'>
<tr><td class='linenumbers'><pre><a id='n1' href='#n1'>1</a>
<a id='n2' href='#n2'>2</a>
<a id='n3' href='#n3'>3</a>
<a id='n4' href='#n4'>4</a>
<a id='n5' href='#n5'>5</a>
<a id='n6' href='#n6'>6</a>
<a id='n7' href='#n7'>7</a>
<a id='n8' href='#n8'>8</a>
<a id='n9' href='#n9'>9</a>
<a id='n10' href='#n10'>10</a>
<a id='n11' href='#n11'>11</a>
<a id='n12' href='#n12'>12</a>
<a id='n13' href='#n13'>13</a>
<a id='n14' href='#n14'>14</a>
<a id='n15' href='#n15'>15</a>
<a id='n16' href='#n16'>16</a>
<a id='n17' href='#n17'>17</a>
<a id='n18' href='#n18'>18</a>
<a id='n19' href='#n19'>19</a>
<a id='n20' href='#n20'>20</a>
<a id='n21' href='#n21'>21</a>
<a id='n22' href='#n22'>22</a>
<a id='n23' href='#n23'>23</a>
<a id='n24' href='#n24'>24</a>
<a id='n25' href='#n25'>25</a>
<a id='n26' href='#n26'>26</a>
<a id='n27' href='#n27'>27</a>
<a id='n28' href='#n28'>28</a>
<a id='n29' href='#n29'>29</a>
<a id='n30' href='#n30'>30</a>
<a id='n31' href='#n31'>31</a>
<a id='n32' href='#n32'>32</a>
<a id='n33' href='#n33'>33</a>
<a id='n34' href='#n34'>34</a>
<a id='n35' href='#n35'>35</a>
<a id='n36' href='#n36'>36</a>
<a id='n37' href='#n37'>37</a>
<a id='n38' href='#n38'>38</a>
<a id='n39' href='#n39'>39</a>
<a id='n40' href='#n40'>40</a>
<a id='n41' href='#n41'>41</a>
<a id='n42' href='#n42'>42</a>
<a id='n43' href='#n43'>43</a>
<a id='n44' href='#n44'>44</a>
<a id='n45' href='#n45'>45</a>
<a id='n46' href='#n46'>46</a>
<a id='n47' href='#n47'>47</a>
<a id='n48' href='#n48'>48</a>
<a id='n49' href='#n49'>49</a>
<a id='n50' href='#n50'>50</a>
<a id='n51' href='#n51'>51</a>
<a id='n52' href='#n52'>52</a>
<a id='n53' href='#n53'>53</a>
<a id='n54' href='#n54'>54</a>
<a id='n55' href='#n55'>55</a>
<a id='n56' href='#n56'>56</a>
<a id='n57' href='#n57'>57</a>
<a id='n58' href='#n58'>58</a>
<a id='n59' href='#n59'>59</a>
<a id='n60' href='#n60'>60</a>
<a id='n61' href='#n61'>61</a>
<a id='n62' href='#n62'>62</a>
<a id='n63' href='#n63'>63</a>
<a id='n64' href='#n64'>64</a>
<a id='n65' href='#n65'>65</a>
<a id='n66' href='#n66'>66</a>
<a id='n67' href='#n67'>67</a>
<a id='n68' href='#n68'>68</a>
<a id='n69' href='#n69'>69</a>
<a id='n70' href='#n70'>70</a>
<a id='n71' href='#n71'>71</a>
<a id='n72' href='#n72'>72</a>
<a id='n73' href='#n73'>73</a>
<a id='n74' href='#n74'>74</a>
<a id='n75' href='#n75'>75</a>
<a id='n76' href='#n76'>76</a>
<a id='n77' href='#n77'>77</a>
<a id='n78' href='#n78'>78</a>
<a id='n79' href='#n79'>79</a>
<a id='n80' href='#n80'>80</a>
<a id='n81' href='#n81'>81</a>
<a id='n82' href='#n82'>82</a>
<a id='n83' href='#n83'>83</a>
<a id='n84' href='#n84'>84</a>
<a id='n85' href='#n85'>85</a>
<a id='n86' href='#n86'>86</a>
<a id='n87' href='#n87'>87</a>
<a id='n88' href='#n88'>88</a>
<a id='n89' href='#n89'>89</a>
<a id='n90' href='#n90'>90</a>
<a id='n91' href='#n91'>91</a>
<a id='n92' href='#n92'>92</a>
<a id='n93' href='#n93'>93</a>
<a id='n94' href='#n94'>94</a>
<a id='n95' href='#n95'>95</a>
<a id='n96' href='#n96'>96</a>
<a id='n97' href='#n97'>97</a>
<a id='n98' href='#n98'>98</a>
<a id='n99' href='#n99'>99</a>
<a id='n100' href='#n100'>100</a>
<a id='n101' href='#n101'>101</a>
<a id='n102' href='#n102'>102</a>
<a id='n103' href='#n103'>103</a>
<a id='n104' href='#n104'>104</a>
<a id='n105' href='#n105'>105</a>
<a id='n106' href='#n106'>106</a>
<a id='n107' href='#n107'>107</a>
<a id='n108' href='#n108'>108</a>
<a id='n109' href='#n109'>109</a>
<a id='n110' href='#n110'>110</a>
<a id='n111' href='#n111'>111</a>
<a id='n112' href='#n112'>112</a>
<a id='n113' href='#n113'>113</a>
<a id='n114' href='#n114'>114</a>
<a id='n115' href='#n115'>115</a>
<a id='n116' href='#n116'>116</a>
<a id='n117' href='#n117'>117</a>
<a id='n118' href='#n118'>118</a>
<a id='n119' href='#n119'>119</a>
<a id='n120' href='#n120'>120</a>
<a id='n121' href='#n121'>121</a>
<a id='n122' href='#n122'>122</a>
<a id='n123' href='#n123'>123</a>
<a id='n124' href='#n124'>124</a>
<a id='n125' href='#n125'>125</a>
<a id='n126' href='#n126'>126</a>
<a id='n127' href='#n127'>127</a>
<a id='n128' href='#n128'>128</a>
<a id='n129' href='#n129'>129</a>
<a id='n130' href='#n130'>130</a>
<a id='n131' href='#n131'>131</a>
<a id='n132' href='#n132'>132</a>
<a id='n133' href='#n133'>133</a>
<a id='n134' href='#n134'>134</a>
<a id='n135' href='#n135'>135</a>
<a id='n136' href='#n136'>136</a>
<a id='n137' href='#n137'>137</a>
<a id='n138' href='#n138'>138</a>
<a id='n139' href='#n139'>139</a>
<a id='n140' href='#n140'>140</a>
<a id='n141' href='#n141'>141</a>
<a id='n142' href='#n142'>142</a>
<a id='n143' href='#n143'>143</a>
<a id='n144' href='#n144'>144</a>
<a id='n145' href='#n145'>145</a>
<a id='n146' href='#n146'>146</a>
<a id='n147' href='#n147'>147</a>
<a id='n148' href='#n148'>148</a>
<a id='n149' href='#n149'>149</a>
<a id='n150' href='#n150'>150</a>
<a id='n151' href='#n151'>151</a>
<a id='n152' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
</pre></td>
<td class='lines'><pre><code>From c4534a38b68aa07fb82318040dc8154fb48a9588 Mon Sep 17 00:00:00 2001
From: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Date: Tue, 5 May 2015 16:43:42 -0400
Subject: xwayland: Enable access control on open sockets [CVE-2015-3164 1/3]

Xwayland currently allows wide-open access to the X sockets
it listens on, ignoring Xauth access control.

This commit makes sure to enable access control on the sockets,
so one user can't snoop on another user's X-over-wayland
applications.

Signed-off-by: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Reviewed-by: Daniel Stone &lt;daniels&#64;collabora.com&gt;
Reviewed-by: Alan Coopersmith &lt;alan.coopersmith&#64;oracle.com&gt;
Signed-off-by: Keith Packard &lt;keithp&#64;keithp.com&gt;

diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 7e8d667..c5bee77 100644
<span class="hl kwb">--- a/hw/xwayland/xwayland.c</span>
<span class="hl kwa">+++ b/hw/xwayland/xwayland.c</span>
&#64;&#64; -483,7 +483,7 &#64;&#64; listen_on_fds(struct xwl_screen *xwl_screen)
     int i;
 
     for (i = 0; i &lt; xwl_screen-&gt;listen_fd_count; i++)
<span class="hl kwb">-        ListenOnOpenFD(xwl_screen-&gt;listen_fds[i], TRUE);</span>
<span class="hl kwa">+        ListenOnOpenFD(xwl_screen-&gt;listen_fds[i], FALSE);</span>
 }
 
 static void
<span class="hl kwb">-- </span>
cgit v0.10.2
From 4b4b9086d02b80549981d205fb1f495edc373538 Mon Sep 17 00:00:00 2001
From: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Date: Tue, 5 May 2015 16:43:43 -0400
Subject: os: support new implicit local user access mode [CVE-2015-3164 2/3]

If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.

This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.

Xwayland, on the other hand is new, and much more targeted
in scope.  It could, in theory, be changed to allow the much
more secure default of a &quot;user who started X server can connect
clients to that server.&quot;

This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior.  They merely need to call

LocalAccessScopeUser()

in their init functions.

A subsequent commit will add that call for Xwayland.

Signed-off-by: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Reviewed-by: Daniel Stone &lt;daniels&#64;collabora.com&gt;
Reviewed-by: Alan Coopersmith &lt;alan.coopersmith&#64;oracle.com&gt;
Signed-off-by: Keith Packard &lt;keithp&#64;keithp.com&gt;

diff --git a/include/os.h b/include/os.h
index 6638c84..b2b96c8 100644
<span class="hl kwb">--- a/include/os.h</span>
<span class="hl kwa">+++ b/include/os.h</span>
&#64;&#64; -431,11 +431,28 &#64;&#64; extern _X_EXPORT void
 ResetHosts(const char *display);
 
 extern _X_EXPORT void
<span class="hl kwa">+EnableLocalAccess(void);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+extern _X_EXPORT void</span>
<span class="hl kwa">+DisableLocalAccess(void);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+extern _X_EXPORT void</span>
 EnableLocalHost(void);
 
 extern _X_EXPORT void
 DisableLocalHost(void);
 
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+extern _X_EXPORT void</span>
<span class="hl kwa">+EnableLocalUser(void);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+extern _X_EXPORT void</span>
<span class="hl kwa">+DisableLocalUser(void);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+extern _X_EXPORT void</span>
<span class="hl kwa">+LocalAccessScopeUser(void);</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+</span>
 extern _X_EXPORT void
 AccessUsingXdmcp(void);
 
diff --git a/os/access.c b/os/access.c
index 8fa028e..75e7a69 100644
<span class="hl kwb">--- a/os/access.c</span>
<span class="hl kwa">+++ b/os/access.c</span>
&#64;&#64; -102,6 +102,10 &#64;&#64; SOFTWARE.
 #include &lt;sys/ioctl.h&gt;
 #include &lt;ctype.h&gt;
 
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+#include &lt;pwd.h&gt;</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+</span>
 #if defined(TCPCONN) || defined(STREAMSCONN)
 #include &lt;netinet/in.h&gt;
 #endif                          /* TCPCONN || STREAMSCONN */
&#64;&#64; -225,6 +229,13 &#64;&#64; static int LocalHostEnabled = FALSE;
 static int LocalHostRequested = FALSE;
 static int UsingXdmcp = FALSE;
 
<span class="hl kwa">+static enum {</span>
<span class="hl kwa">+    LOCAL_ACCESS_SCOPE_HOST = 0,</span>
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+    LOCAL_ACCESS_SCOPE_USER,</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+} LocalAccessScope;</span>
<span class="hl kwa">+</span>
 /* FamilyServerInterpreted implementation */
 static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
                         ClientPtr client);
&#64;&#64; -237,6 +248,21 &#64;&#64; static void siTypesInitialize(void);
  */
 
 void
<span class="hl kwa">+EnableLocalAccess(void)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    switch (LocalAccessScope) {</span>
<span class="hl kwa">+        case LOCAL_ACCESS_SCOPE_HOST:</span>
<span class="hl kwa">+            EnableLocalHost();</span>
<span class="hl kwa">+            break;</span>
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+        case LOCAL_ACCESS_SCOPE_USER:</span>
<span class="hl kwa">+            EnableLocalUser();</span>
<span class="hl kwa">+            break;</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+    }</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+void</span>
 EnableLocalHost(void)
 {
     if (!UsingXdmcp) {
&#64;&#64; -249,6 +275,21 &#64;&#64; EnableLocalHost(void)
  * called when authorization is enabled to keep us secure
  */
 void
<span class="hl kwa">+DisableLocalAccess(void)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    switch (LocalAccessScope) {</span>
<span class="hl kwa">+        case LOCAL_ACCESS_SCOPE_HOST:</span>
<span class="hl kwa">+            DisableLocalHost();</span>
<span class="hl kwa">+            break;</span>
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+        case LOCAL_ACCESS_SCOPE_USER:</span>
<span class="hl kwa">+            DisableLocalUser();</span>
<span class="hl kwa">+            break;</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+    }</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+void</span>
 DisableLocalHost(void)
 {
     HOST *self;
&#64;&#64; -262,6 +303,74 &#64;&#64; DisableLocalHost(void)
     }
 }
 
<span class="hl kwa">+#ifndef NO_LOCAL_CLIENT_CRED</span>
<span class="hl kwa">+static int GetLocalUserAddr(char **addr)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    static const char *type = &quot;localuser&quot;;</span>
<span class="hl kwa">+    static const char delimiter = '\0';</span>
<span class="hl kwa">+    static const char *value;</span>
<span class="hl kwa">+    struct passwd *pw;</span>
<span class="hl kwa">+    int length = -1;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    pw = getpwuid(getuid());</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    if (pw == NULL || pw-&gt;pw_name == NULL)</span>
<span class="hl kwa">+        goto out;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    value = pw-&gt;pw_name;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    length = asprintf(addr, &quot;%s%c%s&quot;, type, delimiter, value);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    if (length == -1) {</span>
<span class="hl kwa">+        goto out;</span>
<span class="hl kwa">+    }</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    /* Trailing NUL */</span>
<span class="hl kwa">+    length++;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+out:</span>
<span class="hl kwa">+    return length;</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+void</span>
<span class="hl kwa">+EnableLocalUser(void)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    char *addr = NULL;</span>
<span class="hl kwa">+    int length = -1;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    length = GetLocalUserAddr(&amp;addr);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    if (length == -1)</span>
<span class="hl kwa">+        return;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    NewHost(FamilyServerInterpreted, addr, length, TRUE);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    free(addr);</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+void</span>
<span class="hl kwa">+DisableLocalUser(void)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    char *addr = NULL;</span>
<span class="hl kwa">+    int length = -1;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    length = GetLocalUserAddr(&amp;addr);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    if (length == -1)</span>
<span class="hl kwa">+        return;</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    RemoveHost(NULL, FamilyServerInterpreted, length, addr);</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+    free(addr);</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+</span>
<span class="hl kwa">+void</span>
<span class="hl kwa">+LocalAccessScopeUser(void)</span>
<span class="hl kwa">+{</span>
<span class="hl kwa">+    LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;</span>
<span class="hl kwa">+}</span>
<span class="hl kwa">+#endif</span>
<span class="hl kwa">+</span>
 /*
  * called at init time when XDMCP will be used; xdmcp always
  * adds local hosts manually when needed
diff --git a/os/auth.c b/os/auth.c
index 5fcb538..7da6fc6 100644
<span class="hl kwb">--- a/os/auth.c</span>
<span class="hl kwa">+++ b/os/auth.c</span>
&#64;&#64; -181,11 +181,11 &#64;&#64; CheckAuthorization(unsigned int name_length,
 
         /*
          * If the authorization file has at least one entry for this server,
<span class="hl kwb">-         * disable local host access. (loadauth &gt; 0)</span>
<span class="hl kwa">+         * disable local access. (loadauth &gt; 0)</span>
          *
          * If there are zero entries (either initially or when the
          * authorization file is later reloaded), or if a valid
<span class="hl kwb">-         * authorization file was never loaded, enable local host access.</span>
<span class="hl kwa">+         * authorization file was never loaded, enable local access.</span>
          * (loadauth == 0 || !loaded)
          *
          * If the authorization file was loaded initially (with valid
&#64;&#64; -194,11 +194,11 &#64;&#64; CheckAuthorization(unsigned int name_length,
          */
 
         if (loadauth &gt; 0) {
<span class="hl kwb">-            DisableLocalHost(); /* got at least one */</span>
<span class="hl kwa">+            DisableLocalAccess(); /* got at least one */</span>
             loaded = TRUE;
         }
         else if (loadauth == 0 || !loaded)
<span class="hl kwb">-            EnableLocalHost();</span>
<span class="hl kwa">+            EnableLocalAccess();</span>
     }
     if (name_length) {
         for (i = 0; i &lt; NUM_AUTHORIZATION; i++) {
<span class="hl kwb">-- </span>
cgit v0.10.2
From 76636ac12f2d1dbdf7be08222f80e7505d53c451 Mon Sep 17 00:00:00 2001
From: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Date: Tue, 5 May 2015 16:43:44 -0400
Subject: xwayland: default to local user if no xauth file given.
 [CVE-2015-3164 3/3]

Right now if &quot;-auth&quot; isn't passed on the command line, we let
any user on the system connect to the Xwayland server.

That's clearly suboptimal, given Xwayland is generally designed
to be used by one user at a time.

This commit changes the behavior, so only the user who started the
X server can connect clients to it.

Signed-off-by: Ray Strode &lt;rstrode&#64;redhat.com&gt;
Reviewed-by: Daniel Stone &lt;daniels&#64;collabora.com&gt;
Reviewed-by: Alan Coopersmith &lt;alan.coopersmith&#64;oracle.com&gt;
Signed-off-by: Keith Packard &lt;keithp&#64;keithp.com&gt;

diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index c5bee77..bc92beb 100644
<span class="hl kwb">--- a/hw/xwayland/xwayland.c</span>
<span class="hl kwa">+++ b/hw/xwayland/xwayland.c</span>
&#64;&#64; -702,4 +702,6 &#64;&#64; InitOutput(ScreenInfo * screen_info, int argc, char **argv)
     if (AddScreen(xwl_screen_init, argc, argv) == -1) {
         FatalError(&quot;Couldn't add screen\n&quot;);
     }
<span class="hl kwa">+</span>
<span class="hl kwa">+    LocalAccessScopeUser();</span>
 }
<span class="hl kwb">-- </span>
cgit v0.10.2

</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class="foot" style="padding-left:1em;padding-right:1em;">
<p>Copyright &copy; 2002-2014 <a href="mailto:jvinet@zeroflux.org"
title="contact Judd Vinet">Judd Vinet</a> and <a href="mailto:aaron@archlinux.org"
title="contact Aaron Griffin">Aaron Griffin</a>. The Arch Linux name and logo
are recognized trademarks. Some rights reserved. The registered trademark
Linux&reg; is used pursuant to a sublicense from LMI, the exclusive licensee
of Linus Torvalds, owner of the mark on a world-wide basis.</p>
</div>
</div> <!-- id=cgit -->
</body>
</html>