X.Org security advisory, june 20th, 2006 Setuid return value check problems on Linux systems Overview Lack of checks for setuid() failures when privileged process (X server, xdm, xterm if installed setuid or setgid) may cause the process to execute certain privileged operations (file access) as root while it was intended to be executed with a less privileged effective uid on systems where setuid() called by root can fail. This can be used by a malicious local user to overwrite files and possibly elevate privileges. Vulnerability details In kernel 2.6 it is possible that setuid(user_uid); can fail even if done from root a process. Reason is that there is the maximum processes "ulimit" which is honoured by setuid(), seteuid(), set*uid(). If you do not check the return value and continue as-is you have not dropped the privilege, but run as root. Since ulimits on maximum processes are set by the kernel by default, any Linux 2.6 system is default affected. Affected versions X.Org versions 6.7.0 to 7.1 are vulnerable on systems where setuid() called by root may fail. Older X11R6 versions are probably affected too. Fix Apply one of the following patches: X.Org 6.8.2 MD5 (xorg-68x-setuid.patch) = 0ce4435659d13cb75e409e92639f22eb SHA1 (xorg-68x-setuid.patch) = d00815d19152da84de6677fcae04e6d96ee5db70 X.Org 6.9.0 MD5 (x11r6.9.0-setuid.diff) = 8e95fc06109d44ac280431d9cd8b41c9 SHA1 (x11r6.9.0-setuid.diff) = e576d725dd5f8d6c70df4b024adeecc5f7f90dc6 libX11-1.0.1 MD5 (libX11-1.0.1-setuid.diff) = 4b14554b64e4a8b1ec3c2b85cb5199b6 SHA1 (libX11-1.0.1-setuid.diff) = 6e2b6a43d394a474b8b731abb8d811625845421c xtrans-1.0.0 MD5 (xtrans-1.0.0-setuid.diff) = a3704e53fae7249379d842f6e626423a SHA1 (xtrans-1.0.0-setuid.diff) = 82b913fe5ec96fd55afb8356ae338b90ed0f179b xserver-1.1.0 MD5 (xorg-xserver-1.1.0-setuid.diff) = 68ded06d2943868ebdadf624946137be SHA1 (xorg-xserver-1.1.0-setuid.diff) = 988d43b6ad2fe418b9cc65357031ca69e66f0a72 xdm-1.0.4 MD5 (xdm-1.0.4-setuid.diff) = 59c512bb92ff5d7b06a9fc45098eb52f SHA1 (xdm-1.0.4-setuid.diff) = 698487d45d01ca6fc7bd8c83d1d0591dd5438e7b xf86dga-1.0.1 MD5 (xf86dga-1.0.1-setuid.diff) = 2a07eebe5796a86f307f9c1a3d0a2fa0 SHA1 (xf86dga-1.0.1-setuid.diff) = 4f184e186b280792878ec9118181067de7339f96 xinit-1.0.2 MD5 (xinit-1.0.2-setuid.diff) = cea3907782102210833fae4cd0bc146c SHA1 (xinit-1.0.2-setuid.diff) = d4004a33f50baea12f5a65063f67bdf3a198ae04 xload-1.0.1 MD5 (xload-1.0.1-setuid.diff) = 9813ecc6d82157d1e5d19cf265af6ff9 SHA1 (xload-1.0.1-setuid.diff) = b14a6f911c2043052aa5006f3146fc5534705c2f Thanks This class of setuid() problems was first discovered by Roman Veretelnikov in Vixie cron. Dirk Mueller and Marcus Meissner provided a detailed analysis of the issue affecting the X.Org source.