X.Org Server 1.20.3 Released To Fix New Security Issue
Written by Michael Larabel in X.Org on 25 October 2018 at 11:08 AM EDT. 15 Comments
X.ORG --
We've known that the X.Org Server security has been a "disaster" (according to security researchers) and while many bugs have been fixed in recent years, not all of the security bugs date back so far in the decades old code-base. Out today is X.Org Server 1.20.3 to fix a new CVE issued for X.Org Server 1.19 and newer.

In X.Org Server 1.19 through X.Org Server 1.20.2 there was incorrect command-line parameter validation that could lead to privilege escalation and files being arbitrarily overwritten.

When the X.Org Server was running with escalated privileges, the -modulepath argument could be used to load unprivileged code to be loaded into the privileged X.Org Server process from any path on the system.

The other related vulnerability is that the -logfile argument could be used to overwrite arbitrary files on the file-system from the privileged process.

The fix is simply disabling support for these command-line arguments when running with escalated privileges.

This issue was assigned as CVE-2018-14665 and is now addressed by the new X.Org Server 1.20.3 update. Red Hat's Adam Jackson took the time to codename this immediate security release as "Harissa Roasted Carrots." X.Org Server 1.21 is the next big feature release in development that will likely see the light of day in 2019, hopefully with more security improvements.

About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related X.Org News
Popular News This Week