[xorg-x11-drv-intel] Fix a security issue in the backlight helper (CVE-2014-4910)

Hans de Goede jwrdegoede at fedoraproject.org
Fri Jul 11 09:06:38 UTC 2014 

commit 153ecb4519d2e8ad7da918595b3c20aa01b07060
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Fri Jul 11 11:06:54 2014 +0200

    Fix a security issue in the backlight helper (CVE-2014-4910)

 ...ix-security-issues-in-handling-of-the-int.patch |   42 ++++++++++++++++++++
 xorg-x11-drv-intel.spec                            |    7 +++-
 2 files changed, 48 insertions(+), 1 deletions(-)
---
diff --git a/0001-backlight-Fix-security-issues-in-handling-of-the-int.patch b/0001-backlight-Fix-security-issues-in-handling-of-the-int.patch
new file mode 100644
index 0000000..2df5327
--- /dev/null
+++ b/0001-backlight-Fix-security-issues-in-handling-of-the-int.patch
@@ -0,0 +1,42 @@
+From 8fa22964f69d3ec8700f177dd7cb3cbc396a9f35 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu at herrb.eu>
+Date: Fri, 4 Jul 2014 18:26:09 +0200
+Subject: [PATCH 1/4] backlight: Fix security issues in handling of the
+ interface path name.
+
+- don't allow '/' in the interface name to avoid escaping the /sys
+  hierarchy
+- check snprintf() return value for overflow.
+
+Problems reported by  Adam Sampson. Thanks.
+
+Signed-off-by: Matthieu Herrb <matthieu at herrb.eu>
+Reviewed-by: Reviewed-by: Hans de Goede <hdegoede at redhat.com>
+---
+ tools/backlight_helper.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/tools/backlight_helper.c b/tools/backlight_helper.c
+index 11abebc..24958ec 100644
+--- a/tools/backlight_helper.c
++++ b/tools/backlight_helper.c
+@@ -17,7 +17,15 @@ int main(int argc, char *argv[])
+ 		return 1;
+ 	}
+ 
+-	snprintf(buf, sizeof(buf), "/sys/class/backlight/%s/brightness", argv[1]);
++	if (strchr(argv[1], '/') != NULL) {
++		fprintf(stderr, "Invalid interface name\n");
++		return 1;
++	}
++	if (snprintf(buf, sizeof(buf), "/sys/class/backlight/%s/brightness",
++		argv[1]) >= sizeof(buf)) {
++		fprintf(stderr, "Interface name is too long\n");
++		return 1;
++	}
+ 	fd = open(buf, O_RDWR);
+ 	if (fd < 0 || fstat(fd, &st) || major(st.st_dev)) {
+ 		fprintf(stderr, "Cannot access backlight interface '%s'\n", argv[1]);
+-- 
+2.0.0
+
diff --git a/xorg-x11-drv-intel.spec b/xorg-x11-drv-intel.spec
index bc36144..615874d 100644
--- a/xorg-x11-drv-intel.spec
+++ b/xorg-x11-drv-intel.spec
@@ -26,7 +26,7 @@
 Summary:   Xorg X11 Intel video driver
 Name:      xorg-x11-drv-intel
 Version:   2.99.912
-Release:   4%{?gitrev}%{?dist}
+Release:   5%{?gitrev}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X Hardware Support
@@ -39,6 +39,7 @@ Source0:    http://xorg.freedesktop.org/archive/individual/driver/xf86-video-int
 Source1:    make-intel-gpu-tools-snapshot.sh
 Source3:    http://xorg.freedesktop.org/archive/individual/app/intel-gpu-tools-%{gputoolsver}.tar.bz2
 Source4:    make-git-snapshot.sh
+Patch1:     0001-backlight-Fix-security-issues-in-handling-of-the-int.patch
 Patch2:     0002-backlight-Fix-compile-error.patch
 
 ExclusiveArch: %{ix86} x86_64 ia64
@@ -87,6 +88,7 @@ Debugging tools for Intel graphics chips
 
 %prep
 %setup -q -n xf86-video-intel-%{?gitdate:%{gitdate}}%{!?gitdate:%{dirsuffix}} -b3
+%patch1 -p1
 %patch2 -p1
 
 %build
@@ -147,6 +149,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libI*XvMC.so
 %{_mandir}/man1/intel_*.1*
 
 %changelog
+* Fri Jul 11 2014 Hans de Goede <hdegoede at redhat.com> - 2.99.912-5
+- Fix a security issue in the backlight helper (CVE-2014-4910)
+
 * Tue Jul  1 2014 Hans de Goede <hdegoede at redhat.com> - 2.99.912-4
 - Re-enable DRI3 support (the latest mesa fixes the gnome-shell hang)

More information about the scm-commits mailing list