From owner-freebsd-security  Fri Oct 16 16:54:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA18370
          for freebsd-security-outgoing; Fri, 16 Oct 1998 16:54:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18265
          for <security@FreeBSD.ORG>; Fri, 16 Oct 1998 16:53:19 -0700 (PDT)
          (envelope-from dawes@rf900.physics.usyd.edu.au)
Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id JAA03369; Sat, 17 Oct 1998 09:52:45 +1000 (EST)
Message-ID: <19981017095244.E24991@rf900.physics.usyd.edu.au>
Date: Sat, 17 Oct 1998 09:52:44 +1000
From: David Dawes <dawes@rf900.physics.usyd.edu.au>
To: andrew@squiz.co.nz, security@FreeBSD.ORG
Subject: Re: X allows ordinary user to read first line of any file
References: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky>; from Andrew McNaughton on Fri, Oct 16, 1998 at 06:08:02PM +1300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote:
>
>found this on http://www.hoobie.net/security/exploits/
>
>joeuser@host$ X -config /etc/master.passwd
>Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie
>use: X [:<display>] [option]
>.
>.
>.
>
>I'm sure there's other files where this can be a problem, but in the case
>of the password file it seems wise to have a dummy entry as the first line
>of the master.passwd file.

To put this problem into perspective, if you're running an XFree86 server
with this bug, then it is old enough to have some much more serious security
problems.  That includes at least one that a local user can use to get
root.  That particular one only relies on the server running as root
and not on it being set-uid root.

Most of these bugs are not XFree86-specific, and will be present in any
server based closely enough on the X11R6.x releases that have the same bugs.

For details on the bugs found and fixed since XFree86 3.3.2 was released,
see the XFree86 security advisories at:

   ftp://ftp.xfree86.org/pub/XFree86/Security/

All of the problems mentioned there are fixed in XFree86 3.3.2.3.

David

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message