-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.05: Vulnerabilities in XFree86 3.3 Advisory issue date: 06-Mar-1998 Topic: Vulnerabilities in the XFree86 3.3 X servers I. Problem Description This security advisory addresses two problems that are unrelated except that they are both addressed in the same XFree86 update described in this advisory. 1. On a system where X11R6-based Xserver is installed setuid or setgid (e.g. the default XFree86 installation for OpenLinux), local users can exploit a buffer overrun in its code and gain extra privileges (e.g. root privileges). 2. On a system where X11R6.3-based Xserver with XKEYBOARD extension is run in setuid or setgid environment (e.g. the default XFree86 installation for OpenLinux), a local users can exploit a "feature" of XKB implementation to execute arbitrary commands with the extra privileges. II. Impact An unprivileged user can execute commands as root or open a root shell on a Caldera OpenLinux system that has any of the X servers installed. These problems are present OpenLinux 1.2 and prior releases. III. Solution Upgrade to the XFree86-[server]-3.3.1-4 packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/003/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/003/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: b008ba943943d1e23873f0f0b031d638 XFree86-8514-3.3.1-4.i386.rpm f739879c032fb7553ce6556e844c1ee4 XFree86-AGX-3.3.1-4.i386.rpm 1c72ce1700067b2d12859638f080f544 XFree86-I128-3.3.1-4.i386.rpm 9b2748b5af5b4a664de2e7bbb70bb9c5 XFree86-Mach32-3.3.1-4.i386.rpm da7034a416cc67e23bb65aca638d53a4 XFree86-Mach64-3.3.1-4.i386.rpm c4a7caf638632118b02ac2f0d5e263ef XFree86-Mach8-3.3.1-4.i386.rpm e7135fdb655edddf620fb1140c2728c3 XFree86-Mono-3.3.1-4.i386.rpm fa0884f740487cfffafddba544a13e11 XFree86-P9000-3.3.1-4.i386.rpm 1cfd51474ecd8db258fba3506f16324e XFree86-S3-3.3.1-4.i386.rpm 383328536d1941ab6c9e5f54a6f48f1c XFree86-S3V-3.3.1-4.i386.rpm c1731a860a8eec44dc26704e9cca2583 XFree86-SVGA-3.3.1-4.i386.rpm 71ad5d2d481a3f30dcaf7d257e8c2149 XFree86-VGA16-3.3.1-4.i386.rpm 3e785f918b256f18466ccf2aba06c375 XFree86-W32-3.3.1-4.i386.rpm 5bd39cbdad0aff82571c0892d3f7e466 XFree86-Xnest-3.3.1-4.i386.rpm 4a4113f51f69445cf9cf861c93fa150e XFree86-Xprt-3.3.1-4.i386.rpm 7a6d06c07bbecc4294258f16df242172 XFree86-Xvfb-3.3.1-4.i386.rpm e654f68883b1d37b908d4311044768e3 XFree86-server-3.3.1-4.i386.rpm d442b3e7015e81713e71bbae77c07aac XFree86-server-devel-3.3.1-4.i386.rpm 1393b477a5934a5458bebae1e124319d XFree86-server-modules-3.3.1-4.i386.rpm 0280e304648f8c39300653d58003868a XFree86-setup-3.3.1-4.i386.rpm cd5205bab9e19a4c888b44d4eb004082 XFree86-server-3.3.1-4.src.rpm If you are running OpenLinux 1.1 or a previous releases, it is assumed that you have already upgraded to the XFree86-[server]-3.3.1-3 packages as discussed in Caldera Security Advisory SA-1997.34: Vulnerabilities in XFree86 3.3. You will need to upgrade _all_ of the X servers installed on your system, not just the server currently in use. To determine which servers are present, type "ls /usr/X11R6/bin/XF86_*". This should list the binary files for all of the X servers installed on your system in the form XF86_[server], where [server] is any or all of: { 8514, AGX, I128, Mach32, Mach64, Mach8, Mono, P9000, S3, S3V, SVGA, VGA16, W32 }. 1. Upgrade all of the X servers in the following manner: rpm -U XFree86-[server]-3.3.1-4.i386.rpm Repeat the command above for all servers found with the "ls /usr/X11R6/bin/XF86_*" command. 2. Also upgrade the following packages: rpm -U XFree86-Xnest-3.3.1-4.i386.rpm rpm -U XFree86-Xprt-3.3.1-4.i386.rpm rpm -U XFree86-Xvfb-3.3.1-4.i386.rpm rpm -U XFree86-server-3.3.1-4.i386.rpm rpm -U XFree86-setup-3.3.1-4.i386.rpm rpm -q XFree86-server-devel && rpm -U XFree86-server-devel-3.3.1-4.i386.rpm rpm -q XFree86-server-modules && rpm -U XFree86-server-modules-3.3.1-4.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This security advisory report is based in part on the postings to the BugTraq email list: From: (Pavel Kankovsky) peak@KERBEROS.TROJA.MFF.CUNI.CZ To: BUGTRAQ@NETSPACE.ORG Date: Tue, 13 Jan 1998 20:22:02 +0100 Subject: Xserver stack smashed Message-ID: Pine.LNX.3.95.980113183646.27934A-100000@kerberos.troja.mff.cuni.cz http://www.netspace.org/cgi-bin/wa?A2=ind9801b&L=bugtraq&O=T&P=3363 From: (Pavel Kankovsky) peak@KERBEROS.TROJA.MFF.CUNI.CZ To: BUGTRAQ@NETSPACE.ORG Date: Tue, 3 Feb 1998 20:26:16 +0100 Subject: serious security problem in XKB Message-ID: Pine.LNX.3.95.980203191041.17555H-100000@kerberos.troja.mff.cuni.cz http://www.netspace.org/cgi-bin/wa?A2=ind9802A&L=bugtraq&D=&H=&T=&O=&F=&P=702 This security fix closes Caldera's internal Problem Reports 1578 and 1728. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.05,v 1.4 1998/03/06 19:53:58 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQBUden+9R4958LpAQHz/gQAq8jcswLfh+vkWyl1km9uX6cSVHBn5zYn FIZFlpot6UAqK8GEfY2BVNg/wV+TJuWYmSLYLOjpWr1iZjTIDTXwBu21dykY9BpG a1lVlWmORThRcFfcyL6iUBttPjbIeWGqpGFKAkyz9zJrWltReDyzKvribBGbP6iX Pz3ouWuQug8= =K5MK -----END PGP SIGNATURE-----