> On Fri, May 30, 1997 at 05:38:02PM +0200, Eivind Eklund wrote:
> >There is presently at least one hole in the X11 libraries (a buffer
> >overflow) being passed around in hacker circles. This buffer overrun
> >makes it possible to exploit any setuid program for X11 (e.g. xterm)
> >user set to; xterm (and others) give root.
> >Hopefully XFree will provide replacement libraries soon; if not, I'll
> >try to do it, but I'm not presently equipped to compile new libraries
> >for all FreeBSD versions. (The XFree liason is Cc:'ed - can you
> >comment on this, Rich?)
> XFree86 is aware of two Xlib buffer overflows which are present in
> the base X11R6.3 code. One is related to the -xrm command line flag,
> and the other is related to the locale-related environment variables.
> Xterm built from XFree86 3.1.2 and later source happens to be immune
> from the first problem because it runs the vulnerable code with the
> euid == ruid.
How this helps against a buffer overflow is unclear to me. You'd just
need to do setuid(0) as a syscall in the shellcode to bypass it,
> We have fixes for both of these problems, and they will be included in
> our 3.3 release, which should be available some time in the next week.
> We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and
> 3.0-CURRENT (using the 970520-SNAP).
> If you know of any other Xlib (or other) vulnerabilities, please let me
> know *now* (send details to XFree86@XFree86.org) so that we can attempt
> to have them fixed in 3.3. We close off 3.3 completely in a day or two.
I know of no more. One question, though: Will it be possible to get a
secure 3.2(a) by replacing just the relevant libraries with the ones
from 3.3? (Doing a full new X install is somewhat more of an
operation than just surgically replacing libraries. Would be nice if
people could do that - increase user confidence etc)