From owner-freebsd-security Fri May 30 18:33:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA20659 for security-outgoing; Fri, 30 May 1997 18:33:28 -0700 (PDT) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA20635; Fri, 30 May 1997 18:33:22 -0700 (PDT) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id LAA26863; Sat, 31 May 1997 11:33:02 +1000 (EST) Message-ID: <19970531113302.04820@rf900.physics.usyd.edu.au> Date: Sat, 31 May 1997 11:33:02 +1000 From: David Dawes To: Eivind Eklund Cc: security@FreeBSD.ORG, rich@FreeBSD.ORG Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199705301538.RAA08714@bitbox.follo.net>; from Eivind Eklund on Fri, May 30, 1997 at 05:38:02PM +0200 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, May 30, 1997 at 05:38:02PM +0200, Eivind Eklund wrote: > >There is presently at least one hole in the X11 libraries (a buffer >overflow) being passed around in hacker circles. This buffer overrun >makes it possible to exploit any setuid program for X11 (e.g. xterm) >user set to; xterm (and others) give root. >Hopefully XFree will provide replacement libraries soon; if not, I'll >try to do it, but I'm not presently equipped to compile new libraries >for all FreeBSD versions. (The XFree liason is Cc:'ed - can you >comment on this, Rich?) XFree86 is aware of two Xlib buffer overflows which are present in the base X11R6.3 code. One is related to the -xrm command line flag, and the other is related to the locale-related environment variables. Xterm built from XFree86 3.1.2 and later source happens to be immune from the first problem because it runs the vulnerable code with the euid == ruid. It may be open to the second problem however, although the impact of the second problem on OSs with a working setlocale(3) isn't so clear (to me). It is definitely a problem on Linux where Xlib doesn't use the OSs setlocale(3). We have fixes for both of these problems, and they will be included in our 3.3 release, which should be available some time in the next week. We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and 3.0-CURRENT (using the 970520-SNAP). If you know of any other Xlib (or other) vulnerabilities, please let me know *now* (send details to XFree86@XFree86.org) so that we can attempt to have them fixed in 3.3. We close off 3.3 completely in a day or two. David