X.Org Server 1.20.3 Released To Fix New Security Issue

Written by Michael Larabel in X.Org on 25 October 2018 at 11:08 AM EDT. 15 Comments
X.ORG
We've known that the X.Org Server security has been a "disaster" (according to security researchers) and while many bugs have been fixed in recent years, not all of the security bugs date back so far in the decades old code-base. Out today is X.Org Server 1.20.3 to fix a new CVE issued for X.Org Server 1.19 and newer.

In X.Org Server 1.19 through X.Org Server 1.20.2 there was incorrect command-line parameter validation that could lead to privilege escalation and files being arbitrarily overwritten.

When the X.Org Server was running with escalated privileges, the -modulepath argument could be used to load unprivileged code to be loaded into the privileged X.Org Server process from any path on the system.

The other related vulnerability is that the -logfile argument could be used to overwrite arbitrary files on the file-system from the privileged process.

The fix is simply disabling support for these command-line arguments when running with escalated privileges.

This issue was assigned as CVE-2018-14665 and is now addressed by the new X.Org Server 1.20.3 update. Red Hat's Adam Jackson took the time to codename this immediate security release as "Harissa Roasted Carrots." X.Org Server 1.21 is the next big feature release in development that will likely see the light of day in 2019, hopefully with more security improvements.
15 Comments
Related News
X.Org Server Change Allows GLAMOR To Fallback To Software Rendering For Obsolete GPUs
Explicit GPU Synchronization Merged For XWayland
X.Org Server & XWayland Hit By Four More Security Issues
The X.Org Foundation Needs More Candidates To Hold An Election
X.Org Server Clears Out Remnants For Supporting Old Compilers
X.Org Server & XWayland Updated Due To Another Six Security Vulnerabilities
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"