From owner-freebsd-security  Sun Aug 25 21:53:47 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA17745
          for security-outgoing; Sun, 25 Aug 1996 21:53:47 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA17731
          for <security@freebsd.org>; Sun, 25 Aug 1996 21:53:43 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id GAA09249 for <security@freebsd.org>; Mon, 26 Aug 1996 06:53:40 +0200
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id GAA15474 for security@freebsd.org; Mon, 26 Aug 1996 06:53:27 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.9/keltia-uucp-2.9) id GAA03303; Mon, 26 Aug 1996 06:42:31 +0200 (MET DST)
Message-Id: <199608260442.GAA03303@keltia.freenix.fr>
Date: Mon, 26 Aug 1996 06:42:31 +0200
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: security@freebsd.org
Subject: Re: Vulnerability in the Xt library (fwd)
In-Reply-To: <199608260207.WAA11517@irbs.irbs.com>; from John Capo on Aug 25, 1996 22:07:49 -0400
References: 	<199608260207.WAA11517@irbs.irbs.com>
X-Mailer: Mutt 0.41
Mime-Version: 1.0
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

According to John Capo:
> Stefan `Sec` Zehl writes:
> > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh
 
> I can also.  The xterm cores on -stable though.

I sent a patch and a portable version of snprintf to both the X consortium
and Xfree86 yesterday. It will be in 3.1.2F.

If you have XFree sources on-line and are willing to recompile, apply the
following patch in xc/lib/Xt:

--- Error.c.old	Sun Aug 25 14:57:28 1996
+++ Error.c	Sun Aug 25 14:47:14 1996
@@ -238,5 +238,5 @@
 	(void) memmove((char*)par, (char*)params, i * sizeof(String) );
 	bzero( &par[i], (10-i) * sizeof(String) );
-        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
+        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
 		       par[4], par[5], par[6], par[7], par[8], par[9]);
 	XtError(message);
@@ -263,5 +263,5 @@
 	(void) memmove((char*)par, (char*)params, i * sizeof(String) );
 	bzero ( &par[i], (10-i) * sizeof(String) );
-        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
+        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
 		       par[4], par[5], par[6], par[7], par[8], par[9]);
 	XtWarning(message); 

-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996