Vulnerability Note VU#837857

The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users.

A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., "geteuid" versus "geteuid()"). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log.

If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system.

Apply a patch from the vendor

Patches have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Users who compile the X.Org server from source code or obtain binary releases directly from X.Org are encouraged to take the actions specified in the corresponding X.Org Security Advisory.