Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Jun 1997 16:49:45 +1000
From:      David Dawes <dawes@rf900.physics.usyd.edu.au>
To:        Eivind Eklund <perhaps@yes.no>
Cc:        security@FreeBSD.ORG, rich@FreeBSD.ORG
Subject:   Re: X libraries
Message-ID:  <19970602164945.36050@rf900.physics.usyd.edu.au>
In-Reply-To: <199706020628.IAA18656@bitbox.follo.net>; from Eivind Eklund on Mon, Jun 02, 1997 at 08:28:01AM %2B0200
References:  <199705301538.RAA08714@bitbox.follo.net> <19970531113302.04820@rf900.physics.usyd.edu.au> <199706020628.IAA18656@bitbox.follo.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 02, 1997 at 08:28:01AM +0200, Eivind Eklund wrote:

>> XFree86 is aware of two Xlib buffer overflows which are present in
>> the base X11R6.3 code.  One is related to the -xrm command line flag,
>> and the other is related to the locale-related environment variables.
>> Xterm built from XFree86 3.1.2 and later source happens to be immune
>> from the first problem because it runs the vulnerable code with the
>> euid == ruid.
>
>How this helps against a buffer overflow is unclear to me.  You'd just
>need to do setuid(0) as a syscall in the shellcode to bypass it,
>wouldn't you?

That's right.  I suppose what I should have said is the standard exploit
scripts don't result in a root shell.  With a little more effort, it
is still vulnerable.

>> We have fixes for both of these problems, and they will be included in
>> our 3.3 release, which should be available some time in the next week.
>> We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and
>> 3.0-CURRENT (using the 970520-SNAP).
>> 
>> If you know of any other Xlib (or other) vulnerabilities, please let me
>> know *now* (send details to XFree86@XFree86.org) so that we can attempt
>> to have them fixed in 3.3.  We close off 3.3 completely in a day or two.
>
>I know of no more.  One question, though: Will it be possible to get a
>secure 3.2(a) by replacing just the relevant libraries with the ones
>from 3.3?  (Doing a full new X install is somewhat more of an
>operation than just surgically replacing libraries.  Would be nice if
>people could do that - increase user confidence etc)

Yes, that is possible.  The minor version number of a some libraries
changed between 3.2 and 3.2A because of the change from R6.1 to R6.3,
but that shouldn't be a problem.

David



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970602164945.36050>