From owner-freebsd-security  Tue Apr 15 10:27:01 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id KAA22954
          for security-outgoing; Tue, 15 Apr 1997 10:27:01 -0700 (PDT)
Received: from dira.bris.ac.uk (dira.bris.ac.uk [137.222.10.41])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA22913
          for <freebsd-security@freebsd.org>; Tue, 15 Apr 1997 10:26:42 -0700 (PDT)
Received: from kukini.cs.bris.ac.uk by dira.bris.ac.uk with SMTP (PP);
          Tue, 15 Apr 1997 18:25:02 +0100
Received: from maxx by kukini.compsci.bristol.ac.uk id aa28834;
          15 Apr 97 17:24 GMT
Received: from localhost by maxx.cs.bris.ac.uk (SMI-8.6/SMI-SVR4)	id SAA02395;
          Tue, 15 Apr 1997 18:25:24 +0100
To: freebsd-security@freebsd.org
Subject: xlock problem
X-Address: Computer Science Dept., University of Bristol, Bristol, U.K.
X-Work-Phone: +44 (117) 954 5106
X-Attribution: Dave
Date: Tue, 15 Apr 1997 18:25:24 +0100
Message-ID: <2394.861125124@maxx>
From: David Hedley <hedley@cs.bris.ac.uk>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Hi there,

Just a quick note to say that you should upgrade the version of xlock
you are distributing with 2.2.1 and 2.1.7 to xlockmore-4.01 as previous
versions have several exploitable buffer overflows which allow root
access.

To see if you are vulnerable do the following:

xlock -name xxxxxxxxxxx << insert at least 1000 x's here)

If xlock segmentation faults, then it is vulnerable. To fix,
chmod u-s /usr/X11R6/bin/xlock  and download and install version 4.01
(available from ftp.x.org:/contrib)

Cheers,

David
--
 David Hedley (hedley@cs.bris.ac.uk)
 finger hedley@cs.bris.ac.uk for PGP key
 Computer Graphics Group | University of Bristol | UK