From owner-freebsd-security  Mon May  4 09:40:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA01869
          for freebsd-security-outgoing; Mon, 4 May 1998 09:40:27 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from arutam.inch.com (ns.inch.com [207.240.140.101])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01845
          for <freebsd-security@freebsd.org>; Mon, 4 May 1998 09:40:10 -0700 (PDT)
          (envelope-from spork@inch.com)
Received: from shell.inch.com (spork@inch.com [207.240.140.100])
	by arutam.inch.com (8.8.5/8.8.5) with SMTP id MAA06198
	for <freebsd-security@freebsd.org>; Mon, 4 May 1998 12:40:07 -0400 (EDT)
Date: Mon, 4 May 1998 12:40:07 -0400 (EDT)
From: Charles Sprickman <spork@inch.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: TOG and xterm problem (fwd)
Message-ID: <Pine.BSF.3.96.980504123835.11546D-100000@shell.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Just an FYI, the updates are available in binary form:

ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/FreeBSD-2.2.x/X3321upd.tgz

Charles

~~~~~~~~~					~~~~~~~~~~~
Charles Sprickman 				Internet Channel
INCH System Administration Team			(212)243-5200
spork@inch.com					access@inch.com

---------- Forwarded message ----------
Date: Sun, 3 May 1998 23:55:24 -0700
From: Trevor Johnson <trevor@JPJ.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: TOG and xterm problem

seen on www.xfree86.org:

   [3 May 1998]

   The Open Group recently released a security advisory concerning
   vulnerabilities in the xterm program and in the Xaw (Athena Widget)
   library. These particular problems are associated with buffer
   overflows in the code that processes the inputMethod and preeditType
   resources in both xterm and the Xaw library, and the *Keymap resources
   in xterm. The Xaw problems affect any setuid-root binaries that use
   the Xaw library (including xterm). The inputMethod and preeditType
   problems affect all releases of XFree86 from 3.0 to 3.3.2 (inclusive).
   The *Keymap problem affects all releases of XFree86 up to and
   including 3.3.2.

   The Open Group's fixes for these problems are currently available only
   to its members (XFree86 is not a member). XFree86 is independently
   releasing its own fixes for these problems. A source patch [1] is
   available now. Updated binaries for some OSs are also available now,
   and others will be available soon. The updated binaries can be found
   in the X3321upd.tgz files in the appropriate subdirectories of the
   XFree86 3.3.2 binaries directory [2]. Information about installing the
   updated binaries can be found in an updated version of the XFree86
   3.3.2 Release Notes [3].

   Note that it is important to follow the instructions in those notes
   carefully, and that both the updated xterm program and Xaw library
   must be installed to fix the problem with xterm. Also, the X332bin.tgz
   and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories
   still contain the original buggy versions. When doing an new XFree86
   3.3.2 installation it is important to extract the X3321upd.tgz after
   extracting the others.

[1] ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1
[2] ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries
[3] http://www.xfree86.org/3.3.2/RELNOTES.html
___
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message