Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 31 May 1997 11:33:02 +1000
From:      David Dawes <dawes@rf900.physics.usyd.edu.au>
To:        Eivind Eklund <perhaps@yes.no>
Cc:        security@FreeBSD.ORG, rich@FreeBSD.ORG
Subject:   Re: X libraries
Message-ID:  <19970531113302.04820@rf900.physics.usyd.edu.au>
In-Reply-To: <199705301538.RAA08714@bitbox.follo.net>; from Eivind Eklund on Fri, May 30, 1997 at 05:38:02PM %2B0200
References:  <199705301538.RAA08714@bitbox.follo.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 30, 1997 at 05:38:02PM +0200, Eivind Eklund wrote:
>
>There is presently at least one hole in the X11 libraries (a buffer
>overflow) being passed around in hacker circles.  This buffer overrun
>makes it possible to exploit any setuid program for X11 (e.g. xterm)
>user set to; xterm (and others) give root.

>Hopefully XFree will provide replacement libraries soon; if not, I'll
>try to do it, but I'm not presently equipped to compile new libraries
>for all FreeBSD versions.  (The XFree liason is Cc:'ed - can you
>comment on this, Rich?)

XFree86 is aware of two Xlib buffer overflows which are present in
the base X11R6.3 code.  One is related to the -xrm command line flag,
and the other is related to the locale-related environment variables.
Xterm built from XFree86 3.1.2 and later source happens to be immune
from the first problem because it runs the vulnerable code with the
euid == ruid.  It may be open to the second problem however, although
the impact of the second problem on OSs with a working setlocale(3) isn't
so clear (to me).  It is definitely a problem on Linux where Xlib doesn't
use the OSs setlocale(3).

We have fixes for both of these problems, and they will be included in
our 3.3 release, which should be available some time in the next week.
We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and
3.0-CURRENT (using the 970520-SNAP).

If you know of any other Xlib (or other) vulnerabilities, please let me
know *now* (send details to XFree86@XFree86.org) so that we can attempt
to have them fixed in 3.3.  We close off 3.3 completely in a day or two.

David



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970531113302.04820>