-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
XFree86-SA-1998:02 Security Advisory
The XFree86 Project, Inc.
Topic: Library vulnerabilities in Xlib, Xt, Xmu, and Xaw
Announced: 25 May 1998
Last Updated: 26 May 1998
Affects: All XFree86 versions up to and including 3.3.2
Corrected: XFree86 3.3.2 patch 2
XFree86 only: no
Patches: ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch2
=============================================================================
I. Background
Xlib, Xt, Xmu, and Xaw are libraries included as a part of the core
X Window System and are also included in every XFree86 release.
The XFree86 Project has developed a patch to XFree86 version 3.3.2
which fixes problems found by our team members. The patch also
includes an XPT public patch which was recently provided by The
Open Group for problems found in the Xt library.
II. Problem Description
Problems exist in the Xlib, Xt, Xmu, and Xaw libraries that
allow user supplied data to cause buffer overflows in programs
that use these libraries. The buffer overflows may be exploited
using either X resources or environment variables used by the
affected libraries. These buffer overflows are associated
with the use of fixed length character arrays for temporary storage
and processing of user supplied data. In many cases, the length of
this user supplied data is not checked to make sure that it will fit
in the provided fixed length array.
III. Impact
Exploiting these buffer overflows with programs installed setuid-root
that use any of these libraries can allow an unprivileged user to gain
root access to the system. These vulnerabilities can only be exploited
by individuals with access to the local system.
The only setuid-root program using these libraries that is supplied
as part of the standard XFree86 distributions is xterm. Other
distributions may include other such programs, including variants
of xterm.
IV. Workaround
The setuid-root programs affected by these problems can be made
safe by removing their setuid bit. This should be done for xterm
and any setuid-root program that uses the affected libraries:
# chmod 0755 /usr/X11R6/bin/xterm
# chmod 0755
Note that implementing this workaround may reduce the functionality
of the affected programs.
V. Solution
The XFree86 Project team has released fixes for these problems.
A source patch is available now at
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch2.
Updated binaries for most OSs are also available. The updated
binaries can be found in the X3322upd.tgz files in the appropriate
subdirectories of the XFree86 3.3.2 binaries directory
(ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/). Information
about installing the updated binaries can be found in an updated
version of the XFree86 3.3.2 Release Notes. A text copy of this
can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
An on-line copy can be viewed at
http://www.xfree86.org/3.3.2/RELNOTES.html.
Note that it is important to follow the instructions in those notes
carefully. Also, the platform dependent files in the XFree86 3.3.2
binaries subdirectories still contain the original buggy versions.
When doing a new XFree86 3.3.2 installation it is important to extract
the X3322upd.tgz after extracting the others.
The X3322upd.tgz file is a complete replacement for the previously
released patch1 binary update file X3321upd.tgz. It is not necessary
to install X3321upd.tgz file prior to installing X332upd.tgz.
The 3.3.2-patch2 source patch file must be applied to the XFree86
3.3.2 base release after applying the previously released source
patch file 3.3.2-patch1.
VI. Checksums
The following is a list of MD5 digital signatures for the source patch,
release notes file and updated binaries.
Filename MD5 Digital Signature
----------------------------------------------------------------------
3.3.2-patch2 ba4752cdab2f73e34020285043d51e14
RELNOTES 914af5bee5003b973909403eccf7f180
FreeBSD-2.2.x/X3322upd.tgz 03e88a106ba0eaeabc3f8fd9f0c209e3
FreeBSD-3.0/X3322upd.tgz 82bdbaaf872914e0cd6e69c9e5e4e684
Interactive/X3322upd.tgz a39839a4bc0d72a8fa181634fd253fa7
Linux-axp/X3322upd.tgz d6604b63427758ccb690827d304215d4
Linux-ix86-glibc/X3322upd.tgz e94a88e2b4bcd70d7330b3c034232e6c
Linux-ix86/X3322upd.tgz d3f0bbad2eba045e8ccd28e8d4bcb95e
LynxOS/X3322upd.tgz 0e094ddc01ec09df8c18944a4bf4ca33
NetBSD-1.2/X3322upd.tgz e97059d4af700d2cfab642ba966a7071
NetBSD-1.3/X3322upd.tgz 5000176b71d5cc4b246547a8bf7defca
OpenBSD/X3322upd.tgz 7c677a53aa11fa3ba72e6319f8febabb
SVR4.0/X3322upd.tgz 8ef26f718baf47451d7b91194f50407d
Solaris/X3322upd.tgz 8c0098154c755c7cef29e3cd5fcfaf03
UnixWare/X3322upd.tgz a0e5d4faa5fb4a3a658c5601929e0475
These checksums only apply for files obtained from ftp.xfree86.org
and its mirrors.
VII. Credits
Topi Miettinen found the Xt translation manager
buffer overflows.
Paulo Cesar Pereira de Andrade found and fixed the Xmu and related Xaw
buffer overflows.
David Dawes found and fixed various library buffer
overflow problems.
Theo de Raadt pointed out some buffer overflows.
Tom Dickey reviewed and updated TOG's Xaw fix.
=============================================================================
The XFree86 Project, Inc
Web Site: http://www.xfree86.org/
PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
Advisories: ftp://ftp.xfree86.org/pub/XFree86/Security/
Security notifications: security@xfree86.org
General support contact: xfree86@xfree86.org
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNWrDjknJJ0YV1q5pAQGVXAP/RohpOM6XAAa7ivDYSeg+pS99shIObBcG
hsr3gJtYb3rbBoJwUqm0LSvA7EHJcgtx/Kfy5CL6LtNQfw6cbx1D3vfhMAZMzTqu
CiX0mPBWX68+viX+IK/l966/NzXp/APCOeuYbJ3y7PSUeHpxToJyyU/A7/BnLIf6
CUXtqsNo5nE=
=WokW
-----END PGP SIGNATURE-----