Package: xlib Version: 3.1.2-7 It seems there is a buffer overrun in libXt, which may be a security hole (some programs using libXt, such as xterm, are setuid root). I haven't tried to exploit it, but xterm -fg very_long_string segfaults, so it might be exploitable (stack overwrite). See the attached message (which appeared on the bugtraq list) for a patch.
I haven't verified that the fix is indeed in XFree86-3.1.2F (just released) - can't get to ftp.xfree86.org right now (too many users) and can't find this version on mirror sites yet. Marek > Date: Sun, 25 Aug 1996 22:05:16 -0700 > From: Ollivier Robert <[EMAIL PROTECTED]> > Subject: Re: Vulnerability in the Xt library (fwd) > To: Multiple recipients of list BUGTRAQ <[EMAIL PROTECTED]> > According to John Capo: > > Stefan `Sec` Zehl writes: > > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh > > > I can also. The xterm cores on -stable though. > > I sent a patch and a portable version of snprintf to both the X consortium > and Xfree86 yesterday. It will be in 3.1.2F. > > If you have XFree sources on-line and are willing to recompile, apply the > following patch in xc/lib/Xt: > > --- Error.c.old Sun Aug 25 14:57:28 1996 > +++ Error.c Sun Aug 25 14:47:14 1996 > @@ -238,5 +238,5 @@ > (void) memmove((char*)par, (char*)params, i * sizeof(String) ); > bzero( &par[i], (10-i) * sizeof(String) ); > - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3], > + (void) snprintf(message, sizeof message, buffer, par[0], par[1], > par[2], par[3], > par[4], par[5], par[6], par[7], par[8], par[9]); > XtError(message); > @@ -263,5 +263,5 @@ > (void) memmove((char*)par, (char*)params, i * sizeof(String) ); > bzero ( &par[i], (10-i) * sizeof(String) ); > - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3], > + (void) snprintf(message, sizeof message, buffer, par[0], par[1], > par[2], par[3], > par[4], par[5], par[6], par[7], par[8], par[9]); > XtWarning(message); > > -- > Ollivier ROBERT -=- The daemon is FREE! -=- [EMAIL PROTECTED] > FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996 >