X-RDate: Sun, 10 May 1998 16:41:50 +0600 (YEKST)
X-UIDL: 35317d34000001ae
Date: Tue, 5 May 1998 23:52:11 +1000
From: David Dawes <[email protected]>
To: [email protected]Subject: xterm and Xaw library vulnerability (XFree86 advisory)
-----BEGIN PGP SIGNED MESSAGE-----
XFree86-SA-1998:01 Security Advisory
The XFree86 Project, Inc.
Topic: xterm and Xaw library vulnerability
Announced: 3 May 1998
Affects: All XFree86 versions up to and including 3.3.2
Corrected: XFree86 3.3.2 patch 1
XFree86 only: no
Patches: ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1
I. Background
Xterm is a terminal emulator that is part of the core X Window System,
and is included in every XFree86 release. Xaw is the Athena Widgets
library. It is also part of the core X Window System, and is also
included in every XFree86 release.
The Open Group X Project Team recently provided a vendor advisory
released by CERT as VB-98.04 regarding vulnerabilities in xterm and
the Xaw library. The XFree86 Project has developed a patch to
XFree86 version 3.3.2, the latest release of the software based on
X11R6.3.
II. Problem Description
Problems exist in both the xterm program and the Xaw library that
allow user supplied data to cause buffer overflows in both the
xterm program and any program that uses the Xaw library. These
buffer overflows are associated with the processing of data related
to the inputMethod and preeditType resources (for both xterm and Xaw)
and the *Keymap resources (for xterm).
III. Impact
Exploiting these buffer overflows with xterm when it is installed
setuid-root or with any setuid-root program that uses the Xaw library
can allow an unprivileged user to gain root access to the system.
These vulnerabilities can only be exploited by individuals with access
to the local system.
Setuid-root programs that use variants of the Xaw library (like Xaw3d)
may also be vulnerable to the Xaw problems.
The only setuid-root program using the Xaw library that is supplied
as part of the standard XFree86 distributions is xterm. Other
distributions may include other such programs, including variants
of xterm.
IV. Workaround
The setuid-root programs affected by these problems can be made
safe by removing their setuid bit. This should be done for xterm
and any setuid-root program that uses the Xaw library:
# chmod 0755 /usr/X11R6/bin/xterm
# chmod 0755 <setuid-root-program>
Note that implementing this workaround may reduce the functionality
of the affected programs.
V. Solution
The Open Group's fixes for these problems are currently available
only to its members (XFree86 is not a member). XFree86 has
independently released its own fixes for these problems. A source
patch is available now at
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1.
Updated binaries for most OSs are also available. The updated
binaries can be found in the X3321upd.tgz files in the appropriate
subdirectories of the XFree86 3.3.2 binaries directory
(ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/). Information
about installing the updated binaries can be found in an updated
version of the XFree86 3.3.2 Release Notes. A text copy of this
can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
An on-line copy can be viewed at
http://www.xfree86.org/3.3.2/RELNOTES.html.
Note that it is important to follow the instructions in those notes
carefully, and that both the updated xterm program and Xaw library
must be installed to fix the problem with xterm. Also, the
X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries
subdirectories still contain the original buggy versions. When
doing a new XFree86 3.3.2 installation it is important to extract
the X3321upd.tgz after extracting the others.
VI. Checksums
The following is a list of MD5 digital signatures for the source patch,
release notes file and updated binaries.
Filename MD5 Digital Signature
----------------------------------------------------------------------
3.3.2-patch1 e5a66e732d62cf23007d6b939281028a
RELNOTES 06d07b8d884b651b131787ec15d04b59
FreeBSD-2.2.x/X3321upd.tgz cc2eeeecbaaf72d95776d12e42f1a111
FreeBSD-3.0/X3321upd.tgz 94b45261d8eb6da4e30580a42338c47e
Interactive/X3321upd.tgz f6ed6adc516af50303af4d70f0a93fbe
Linux-axp/X3321upd.tgz 0fc81d4308f989ea050e84ca7a7c3362
Linux-ix86-glibc/X3321upd.tgz bf6b7ddebadd188331c9624dfedf6aa9
Linux-ix86/X3321upd.tgz 89ac8668a891bcdee8df1ea36fe06248
LynxOS/X3321upd.tgz aa065051fe9747b5f36625f3ca956210
NetBSD-1.3/X3321upd.tgz 7dc31e8e7a230717338cd3587c6e9c9c
OpenBSD/X3321upd.tgz 9267e76495edadb26621defe368bce2e
SVR4.0/X3321upd.tgz 54c34dc2de7f789d29063a23b709f0c1
Solaris/X3321upd.tgz c102e2912ad7e9571d361083af0de170
UnixWare/X3321upd.tgz bf492604de594cdf2ebe9c78552005e8
These checksums only apply for files obtained from ftp.xfree86.org
and its mirrors.
VII. Credits
Richard Braakman Analysis of the xterm problems and
fixes for them.
Tom Dickey Integration of xterm fixes.
Paulo Cesar Pereira de Andrade Xaw fixes.
The XFree86 Project, Inc
Web Site: http://www.xfree86.org/
PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
Advisories: ftp://ftp.xfree86.org/pub/XFree86/Security/
Security notifications: [email protected]
General support contact: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNU3aWknJJ0YV1q5pAQE93QP+LkxhHphL6CpgX/lCJmFR25L2qf8430wk
D530Ih0nmIG86Y9zY6i9BMzgH9nfRl7v6dSX+Ch/+oiR68tyY1LBbuwMSpD+V672
qWuTHYQEJ9ZrrUFf1vc1V2gFKkDy+rMpqyEU6ZShBzPXZ66Lc7dINbf05GZGBdbm
EKjSwesIj/M=
=4dNY
-----END PGP SIGNATURE-----
