-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= XFree86-SA-1998:01 Security Advisory The XFree86 Project, Inc. Topic: xterm and Xaw library vulnerability Announced: 3 May 1998 Affects: All XFree86 versions up to and including 3.3.2 Corrected: XFree86 3.3.2 patch 1 XFree86 only: no Patches: ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1 ============================================================================= I. Background Xterm is a terminal emulator that is part of the core X Window System, and is included in every XFree86 release. Xaw is the Athena Widgets library. It is also part of the core X Window System, and is also included in every XFree86 release. The Open Group X Project Team recently provided a vendor advisory released by CERT as VB-98.04 regarding vulnerabilities in xterm and the Xaw library. The XFree86 Project has developed a patch to XFree86 version 3.3.2, the latest release of the software based on X11R6.3. II. Problem Description Problems exist in both the xterm program and the Xaw library that allow user supplied data to cause buffer overflows in both the xterm program and any program that uses the Xaw library. These buffer overflows are associated with the processing of data related to the inputMethod and preeditType resources (for both xterm and Xaw) and the *Keymap resources (for xterm). III. Impact Exploiting these buffer overflows with xterm when it is installed setuid-root or with any setuid-root program that uses the Xaw library can allow an unprivileged user to gain root access to the system. These vulnerabilities can only be exploited by individuals with access to the local system. Setuid-root programs that use variants of the Xaw library (like Xaw3d) may also be vulnerable to the Xaw problems. The only setuid-root program using the Xaw library that is supplied as part of the standard XFree86 distributions is xterm. Other distributions may include other such programs, including variants of xterm. IV. Workaround The setuid-root programs affected by these problems can be made safe by removing their setuid bit. This should be done for xterm and any setuid-root program that uses the Xaw library: # chmod 0755 /usr/X11R6/bin/xterm # chmod 0755 Note that implementing this workaround may reduce the functionality of the affected programs. V. Solution The Open Group's fixes for these problems are currently available only to its members (XFree86 is not a member). XFree86 has independently released its own fixes for these problems. A source patch is available now at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1. Updated binaries for most OSs are also available. The updated binaries can be found in the X3321upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory (ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/). Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. A text copy of this can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES. An on-line copy can be viewed at http://www.xfree86.org/3.3.2/RELNOTES.html. Note that it is important to follow the instructions in those notes carefully, and that both the updated xterm program and Xaw library must be installed to fix the problem with xterm. Also, the X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. When doing a new XFree86 3.3.2 installation it is important to extract the X3321upd.tgz after extracting the others. VI. Checksums The following is a list of MD5 digital signatures for the source patch, release notes file and updated binaries. Filename MD5 Digital Signature ---------------------------------------------------------------------- 3.3.2-patch1 e5a66e732d62cf23007d6b939281028a RELNOTES 06d07b8d884b651b131787ec15d04b59 FreeBSD-2.2.x/X3321upd.tgz cc2eeeecbaaf72d95776d12e42f1a111 FreeBSD-3.0/X3321upd.tgz 94b45261d8eb6da4e30580a42338c47e Interactive/X3321upd.tgz f6ed6adc516af50303af4d70f0a93fbe Linux-axp/X3321upd.tgz 0fc81d4308f989ea050e84ca7a7c3362 Linux-ix86-glibc/X3321upd.tgz bf6b7ddebadd188331c9624dfedf6aa9 Linux-ix86/X3321upd.tgz 89ac8668a891bcdee8df1ea36fe06248 LynxOS/X3321upd.tgz aa065051fe9747b5f36625f3ca956210 NetBSD-1.3/X3321upd.tgz 7dc31e8e7a230717338cd3587c6e9c9c OpenBSD/X3321upd.tgz 9267e76495edadb26621defe368bce2e SVR4.0/X3321upd.tgz 54c34dc2de7f789d29063a23b709f0c1 Solaris/X3321upd.tgz c102e2912ad7e9571d361083af0de170 UnixWare/X3321upd.tgz bf492604de594cdf2ebe9c78552005e8 These checksums only apply for files obtained from ftp.xfree86.org and its mirrors. VII. Credits Richard Braakman Analysis of the xterm problems and fixes for them. Tom Dickey Integration of xterm fixes. Paulo Cesar Pereira de Andrade Xaw fixes. ============================================================================= The XFree86 Project, Inc Web Site: http://www.xfree86.org/ PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc Advisories: ftp://ftp.xfree86.org/pub/XFree86/Security/ Security notifications: security@xfree86.org General support contact: xfree86@xfree86.org ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNU3aWknJJ0YV1q5pAQE93QP+LkxhHphL6CpgX/lCJmFR25L2qf8430wk D530Ih0nmIG86Y9zY6i9BMzgH9nfRl7v6dSX+Ch/+oiR68tyY1LBbuwMSpD+V672 qWuTHYQEJ9ZrrUFf1vc1V2gFKkDy+rMpqyEU6ZShBzPXZ66Lc7dINbf05GZGBdbm EKjSwesIj/M= =4dNY -----END PGP SIGNATURE-----