From owner-freebsd-security Sun Jun 1 23:50:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA02148 for security-outgoing; Sun, 1 Jun 1997 23:50:26 -0700 (PDT) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA02138; Sun, 1 Jun 1997 23:50:09 -0700 (PDT) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id QAA28428; Mon, 2 Jun 1997 16:49:46 +1000 (EST) Message-ID: <19970602164945.36050@rf900.physics.usyd.edu.au> Date: Mon, 2 Jun 1997 16:49:45 +1000 From: David Dawes To: Eivind Eklund Cc: security@FreeBSD.ORG, rich@FreeBSD.ORG Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <19970531113302.04820@rf900.physics.usyd.edu.au> <199706020628.IAA18656@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199706020628.IAA18656@bitbox.follo.net>; from Eivind Eklund on Mon, Jun 02, 1997 at 08:28:01AM +0200 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, Jun 02, 1997 at 08:28:01AM +0200, Eivind Eklund wrote: >> XFree86 is aware of two Xlib buffer overflows which are present in >> the base X11R6.3 code. One is related to the -xrm command line flag, >> and the other is related to the locale-related environment variables. >> Xterm built from XFree86 3.1.2 and later source happens to be immune >> from the first problem because it runs the vulnerable code with the >> euid == ruid. > >How this helps against a buffer overflow is unclear to me. You'd just >need to do setuid(0) as a syscall in the shellcode to bypass it, >wouldn't you? That's right. I suppose what I should have said is the standard exploit scripts don't result in a root shell. With a little more effort, it is still vulnerable. >> We have fixes for both of these problems, and they will be included in >> our 3.3 release, which should be available some time in the next week. >> We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and >> 3.0-CURRENT (using the 970520-SNAP). >> >> If you know of any other Xlib (or other) vulnerabilities, please let me >> know *now* (send details to XFree86@XFree86.org) so that we can attempt >> to have them fixed in 3.3. We close off 3.3 completely in a day or two. > >I know of no more. One question, though: Will it be possible to get a >secure 3.2(a) by replacing just the relevant libraries with the ones >from 3.3? (Doing a full new X install is somewhat more of an >operation than just surgically replacing libraries. Would be nice if >people could do that - increase user confidence etc) Yes, that is possible. The minor version number of a some libraries changed between 3.2 and 3.2A because of the change from R6.1 to R6.3, but that shouldn't be a problem. David