X.Org Server 1.20.3 Released To Fix New Security Issue

Written by Michael Larabel in X.Org on 25 October 2018 at 11:08 AM EDT. 15 Comments
X.ORG
We've known that the X.Org Server security has been a "disaster" (according to security researchers) and while many bugs have been fixed in recent years, not all of the security bugs date back so far in the decades old code-base. Out today is X.Org Server 1.20.3 to fix a new CVE issued for X.Org Server 1.19 and newer.

In X.Org Server 1.19 through X.Org Server 1.20.2 there was incorrect command-line parameter validation that could lead to privilege escalation and files being arbitrarily overwritten.

When the X.Org Server was running with escalated privileges, the -modulepath argument could be used to load unprivileged code to be loaded into the privileged X.Org Server process from any path on the system.

The other related vulnerability is that the -logfile argument could be used to overwrite arbitrary files on the file-system from the privileged process.

The fix is simply disabling support for these command-line arguments when running with escalated privileges.

This issue was assigned as CVE-2018-14665 and is now addressed by the new X.Org Server 1.20.3 update. Red Hat's Adam Jackson took the time to codename this immediate security release as "Harissa Roasted Carrots." X.Org Server 1.21 is the next big feature release in development that will likely see the light of day in 2019, hopefully with more security improvements.
15 Comments
Related News
xcompmgr 1.1.10 Released For Classic "Eye Candy" Compositor On X.Org
Local Privilege Escalation Vulnerability Affecting X.Org Server For 18 Years
It's Taken Until 2024 To Add FreeBSD To X.Org Continuous Integration Testing
libX11 1.8.10 Brings Memory Safety Fixes
X.Org Testing Ground Expands Its Scope To Illumos/OpenIndiana
X.Org Server Patches Look To Cleanup VRR Handling, Make It Xinerama-Aware
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance