-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= XFree86-SA-1998:02 Security Advisory The XFree86 Project, Inc. Topic: Library vulnerabilities in Xlib, Xt, Xmu, and Xaw Announced: 25 May 1998 Last Updated: 26 May 1998 Affects: All XFree86 versions up to and including 3.3.2 Corrected: XFree86 3.3.2 patch 2 XFree86 only: no Patches: ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch2 ============================================================================= I. Background Xlib, Xt, Xmu, and Xaw are libraries included as a part of the core X Window System and are also included in every XFree86 release. The XFree86 Project has developed a patch to XFree86 version 3.3.2 which fixes problems found by our team members. The patch also includes an XPT public patch which was recently provided by The Open Group for problems found in the Xt library. II. Problem Description Problems exist in the Xlib, Xt, Xmu, and Xaw libraries that allow user supplied data to cause buffer overflows in programs that use these libraries. The buffer overflows may be exploited using either X resources or environment variables used by the affected libraries. These buffer overflows are associated with the use of fixed length character arrays for temporary storage and processing of user supplied data. In many cases, the length of this user supplied data is not checked to make sure that it will fit in the provided fixed length array. III. Impact Exploiting these buffer overflows with programs installed setuid-root that use any of these libraries can allow an unprivileged user to gain root access to the system. These vulnerabilities can only be exploited by individuals with access to the local system. The only setuid-root program using these libraries that is supplied as part of the standard XFree86 distributions is xterm. Other distributions may include other such programs, including variants of xterm. IV. Workaround The setuid-root programs affected by these problems can be made safe by removing their setuid bit. This should be done for xterm and any setuid-root program that uses the affected libraries: # chmod 0755 /usr/X11R6/bin/xterm # chmod 0755 Note that implementing this workaround may reduce the functionality of the affected programs. V. Solution The XFree86 Project team has released fixes for these problems. A source patch is available now at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch2. Updated binaries for most OSs are also available. The updated binaries can be found in the X3322upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory (ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/). Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. A text copy of this can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES. An on-line copy can be viewed at http://www.xfree86.org/3.3.2/RELNOTES.html. Note that it is important to follow the instructions in those notes carefully. Also, the platform dependent files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. When doing a new XFree86 3.3.2 installation it is important to extract the X3322upd.tgz after extracting the others. The X3322upd.tgz file is a complete replacement for the previously released patch1 binary update file X3321upd.tgz. It is not necessary to install X3321upd.tgz file prior to installing X332upd.tgz. The 3.3.2-patch2 source patch file must be applied to the XFree86 3.3.2 base release after applying the previously released source patch file 3.3.2-patch1. VI. Checksums The following is a list of MD5 digital signatures for the source patch, release notes file and updated binaries. Filename MD5 Digital Signature ---------------------------------------------------------------------- 3.3.2-patch2 ba4752cdab2f73e34020285043d51e14 RELNOTES 914af5bee5003b973909403eccf7f180 FreeBSD-2.2.x/X3322upd.tgz 03e88a106ba0eaeabc3f8fd9f0c209e3 FreeBSD-3.0/X3322upd.tgz 82bdbaaf872914e0cd6e69c9e5e4e684 Interactive/X3322upd.tgz a39839a4bc0d72a8fa181634fd253fa7 Linux-axp/X3322upd.tgz d6604b63427758ccb690827d304215d4 Linux-ix86-glibc/X3322upd.tgz e94a88e2b4bcd70d7330b3c034232e6c Linux-ix86/X3322upd.tgz d3f0bbad2eba045e8ccd28e8d4bcb95e LynxOS/X3322upd.tgz 0e094ddc01ec09df8c18944a4bf4ca33 NetBSD-1.2/X3322upd.tgz e97059d4af700d2cfab642ba966a7071 NetBSD-1.3/X3322upd.tgz 5000176b71d5cc4b246547a8bf7defca OpenBSD/X3322upd.tgz 7c677a53aa11fa3ba72e6319f8febabb SVR4.0/X3322upd.tgz 8ef26f718baf47451d7b91194f50407d Solaris/X3322upd.tgz 8c0098154c755c7cef29e3cd5fcfaf03 UnixWare/X3322upd.tgz a0e5d4faa5fb4a3a658c5601929e0475 These checksums only apply for files obtained from ftp.xfree86.org and its mirrors. VII. Credits Topi Miettinen found the Xt translation manager buffer overflows. Paulo Cesar Pereira de Andrade found and fixed the Xmu and related Xaw buffer overflows. David Dawes found and fixed various library buffer overflow problems. Theo de Raadt pointed out some buffer overflows. Tom Dickey reviewed and updated TOG's Xaw fix. ============================================================================= The XFree86 Project, Inc Web Site: http://www.xfree86.org/ PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc Advisories: ftp://ftp.xfree86.org/pub/XFree86/Security/ Security notifications: security@xfree86.org General support contact: xfree86@xfree86.org ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNWrDjknJJ0YV1q5pAQGVXAP/RohpOM6XAAa7ivDYSeg+pS99shIObBcG hsr3gJtYb3rbBoJwUqm0LSvA7EHJcgtx/Kfy5CL6LtNQfw6cbx1D3vfhMAZMzTqu CiX0mPBWX68+viX+IK/l966/NzXp/APCOeuYbJ3y7PSUeHpxToJyyU/A7/BnLIf6 CUXtqsNo5nE= =WokW -----END PGP SIGNATURE-----