-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.11: XFree86 3.3.1 Problems Advisory issue date: 24-July-1998 Topic-1: xterm and Xaw library vulnerability Advisory issue date: 24-July-1998 Topic-2: X server crashes on some bogus font.dir file. I. Problem Description Problem-1: There are some buffer overflows in libXaw and xterm that can give users root access. See the (clipped) XFree advisory XFree86-SA-1998:01. Xterm is a terminal emulator that is part of the core X Window System, and is included in every XFree86 release. Xaw is the Athena Widgets library. It is also part of the core X Window System, and is also included in every XFree86 release. The Open Group X Project Team recently provided a vendor advisory released by CERT as VB-98.04 regarding vulnerabilities in xterm and the Xaw library. The XFree86 Project has developed a patch to XFree86 version 3.3.2, the latest release of the software based on X11R6.3. Problems exist in both the xterm program and the Xaw library that allow user supplied data to cause buffer overflows in both the xterm program and any program that uses the Xaw library. These buffer overflows are associated with the processing of data related to the inputMethod and preeditType resources (for both xterm and Xaw) and the *Keymap resources (for xterm). Problem-2: The problem relates to processing of font directories. A user may alter the font path used by a running X server. This path includes a list of directories which contain font files to be used by the server. When a new font directory is added to the font path, the server opens a file named "fonts.dir". This file describes the font names and font file names contained in the directory. Through the use of buffer overrun techniques, a "fonts.dir" file can be created that will provide the user a shell run with root priviledges. Servers running with real or effective uids of root are vulnerable. II. Impact Description-1: Exploiting these buffer overflows with xterm when it is installed setuid-root or with any setuid-root program that uses the Xaw library can allow an unprivileged user to gain root access to the system. These vulnerabilities can only be exploited by individuals with access to the local system. Setuid-root programs that use variants of the Xaw library (like Xaw3d) may also be vulnerable to the Xaw problems. The only setuid-root program using the Xaw library that is supplied as part of the standard XFree86 distributions is xterm. Other distributions may include other such programs, including variants of xterm. Description-2: Create a directory /tmp/foobar, drop the following (uudecoded and uncompressed) and do 'xset +fp /tmp/foobar'. Watch your X session die without a sigh. Vulnerable Systems: OpenLinux 1.0, 1.1, 1.2 systems with XFree86 older than 3.3.2 pl1. III. Solution Workaround-1: The setuid-root programs affected by these problems can be made safe by removing their setuid bit. This should be done for xterm and any setuid-root program that uses the Xaw library: # chmod 0755 /usr/X11R6/bin/xterm # chmod 0755 Note that implementing this workaround may reduce the functionality of the affected programs. Correction: The proper solution is to Upgrade to the Xfree-*-3.3.2-1 packages which contain patch 2 as well. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: 6e2dd04196c696050dec09da031e0921 RPMS/XFree86-3.3.2-1.i386.rpm ea6e954000a7541a9c85e9e09d7a86b4 RPMS/XFree86-8514-3.3.2-1.i386.rpm 109f2f4f5451d6d68cb6d95680c4a337 RPMS/XFree86-AGX-3.3.2-1.i386.rpm c8604f9982e39d0173c01b12ecbdd35b RPMS/XFree86-I128-3.3.2-1.i386.rpm 2bdbb6bcbf3c8e3ba518c34c84be9c72 RPMS/XFree86-Mach32-3.3.2-1.i386.rpm d899a9525757b3e72f231251729a1294 RPMS/XFree86-Mach64-3.3.2-1.i386.rpm d5890bd20980a8278cbaf0c4934d0b8e RPMS/XFree86-Mach8-3.3.2-1.i386.rpm 59c7b6dd1d7fa124629746f9dbbd87c0 RPMS/XFree86-Mono-3.3.2-1.i386.rpm 002554afadd9f0760fe165154d24082c RPMS/XFree86-P9000-3.3.2-1.i386.rpm d4c6d3bf2229d8bae15356b9bd4a7021 RPMS/XFree86-S3-3.3.2-1.i386.rpm ac315785e3cc29e8d8eed331f9aad4f4 RPMS/XFree86-S3V-3.3.2-1.i386.rpm 92a179efc6e8c723f6c8870550b6c543 RPMS/XFree86-SVGA-3.3.2-1.i386.rpm 9eebc030b51fde83808879c4625d83b3 RPMS/XFree86-VGA16-3.3.2-1.i386.rpm 31fc6cf9707b4672cf11de898c78aa56 RPMS/XFree86-W32-3.3.2-1.i386.rpm 648cf774f14e6be64b6874aeeb867f25 RPMS/XFree86-Xnest-3.3.2-1.i386.rpm f9798297b595f3313273885e84b54a1b RPMS/XFree86-Xprt-3.3.2-1.i386.rpm 08de083f39bb09c6a3a0b46749b8c887 RPMS/XFree86-Xvfb-3.3.2-1.i386.rpm 1de4cf7b6e5fe9395391de43967791ee RPMS/XFree86-addons-3.3.2-1.i386.rpm b4bb53f89f4a7a5084d5603ffb82f45f RPMS/XFree86-contrib-3.3.2-1.i386.rpm c7a61981df89092e53d8357e0b31d680 RPMS/XFree86-devel-3.3.2-1.i386.rpm ff4f2344e42ddd3a3a7b703a8daaab15 RPMS/XFree86-devel-prof-3.3.2-1.i386.rpm 59bc044f47716e21682e0b656b63f337 RPMS/XFree86-devel-static-3.3.2-1.i386.rpm 3ff548a024ad609e69fc7a080db8c9a6 RPMS/XFree86-fonts-100dpi-3.3.2-1.i386.rpm 0fb349ddb0d2a3caee770232df832648 RPMS/XFree86-fonts-3.3.2-1.i386.rpm cef3898255bc1a4aa09c3c38b0bd697d RPMS/XFree86-fonts-75dpi-3.3.2-1.i386.rpm f92a6e6b4e4f98f29fce420f07e0a7c8 RPMS/XFree86-fonts-cyrillic-3.3.2-1.i386.rpm bf4bd1274da39168f17686af54367761 RPMS/XFree86-fonts-extra-3.3.2-1.i386.rpm a3957eebdbc06427ac4bbf7c4db94e19 RPMS/XFree86-fonts-scale-3.3.2-1.i386.rpm a8b611506e98252d08c0e65724c872bf RPMS/XFree86-fontserver-3.3.2-1.i386.rpm 070fc2bcec8552f09ec4c06a1143c266 RPMS/XFree86-imake-3.3.2-1.i386.rpm 83cc6968bd6b43f7bfd521cfa6dcecc2 RPMS/XFree86-libs-3.3.2-1.i386.rpm 5825836d9f7bdb1c4b9c319acb29d6fb RPMS/XFree86-misc-3.3.2-1.i386.rpm afd87894f4cf89a8e798e56528140ed4 RPMS/XFree86-programs-3.3.2-1.i386.rpm 061bb6c80fe663f4a4a693c376ac6aa0 RPMS/XFree86-server-3.3.2-1.i386.rpm c81956caaf1ca0ed9d7fda6403230ebc RPMS/XFree86-server-devel-3.3.2-1.i386.rpm 98b87dc96773efc88bc4aba8dec51baa RPMS/XFree86-server-modules-3.3.2-1.i386.rpm 755f69e33a1ba95338446040a0da41dd RPMS/XFree86-setup-3.3.2-1.i386.rpm cf3f651ae595baae5328643345e90583 RPMS/XFree86-twm-3.3.2-1.i386.rpm ecfe0c3b2ae559ab925a1c4cf4e895e5 RPMS/XFree86-xdm-3.3.2-1.i386.rpm bc615b9494190aede9d2991e78730d01 RPMS/XFree86-xsm-3.3.2-1.i386.rpm d89b927c17890711f3af825e1f852a60 RPMS/XFree86-xterm-3.3.2-1.i386.rpm b45658c77c6013b0569565c45afe80cc SRPMS/XFree86-3.3.2-1.src.rpm bcbfda1e7ba55bbbbcd8cf7533a28c55 SRPMS/XFree86-contrib-3.3.2-1.src.rpm 131bb40cc9c8ffc65236d4ac748a381b SRPMS/XFree86-fonts-3.3.2-1.src.rpm 15478010b3ae8f89847b9d8edfdb305c SRPMS/XFree86-server-3.3.2-1.src.rpm Upgrade with the following commands: rpm -q XFree86-I128 && rpm -U XFree86-I128-3.3.2-1.i386.rpm rpm -q XFree86-AGX && rpm -U XFree86-AGX-3.3.2-1.i386.rpm rpm -q XFree86-Mach32 && rpm -U XFree86-Mach32-3.3.2-1.i386.rpm rpm -q XFree86-Mach64 && rpm -U XFree86-Mach64-3.3.2-1.i386.rpm rpm -q XFree86-Mach8 && rpm -U XFree86-Mach8-3.3.2-1.i386.rpm rpm -q XFree86-Mono && rpm -U XFree86-Mono-3.3.2-1.i386.rpm rpm -q XFree86-P9000 && rpm -U XFree86-P9000-3.3.2-1.i386.rpm rpm -q XFree86-S3 && rpm -U XFree86-S3-3.3.2-1.i386.rpm rpm -q XFree86-S3V && rpm -U XFree86-S3V-3.3.2-1.i386.rpm rpm -q XFree86-SVGA && rpm -U XFree86-SVGA-3.3.2-1.i386.rpm rpm -q XFree86-VGA16 && rpm -U XFree86-VGA16-3.3.2-1.i386.rpm rpm -q XFree86-W32 && rpm -U XFree86-W32-3.3.2-1.i386.rpm rpm -q XFree86-Xnest && rpm -U XFree86-Xnest-3.3.2-1.i386.rpm rpm -q XFree86-Xprt && rpm -U XFree86-Xprt-3.3.2-1.i386.rpm rpm -q XFree86-Xvfb && rpm -U XFree86-Xvfb-3.3.2-1.i386.rpm rpm -q XFree86-server && rpm -U XFree86-server-3.3.2-1.i386.rpm rpm -q XFree86-server-devel && rpm -U XFree86-server-devel-3.3.2-1.i386.rpm rpm -q XFree86-server-modules && rpm -U XFree86-server-modules-3.3.2-1.i386.rpm rpm -q XFree86-setup && rpm -U XFree86-setup-3.3.2-1.i386.rpm rpm -q XFree86-8514 && rpm -U XFree86-8514-3.3.2-1.i386.rpm rpm -q XFree86 && rpm -U XFree86-3.3.2-1.i386.rpm rpm -q XFree86-addons && rpm -U XFree86-addons-3.3.2-1.i386.rpm rpm -q XFree86-devel && rpm -U XFree86-devel-3.3.2-1.i386.rpm rpm -q XFree86-devel-prof && rpm -U XFree86-devel-prof-3.3.2-1.i386.rpm rpm -q XFree86-devel-static && rpm -U XFree86-devel-static-3.3.2-1.i386.rpm rpm -q XFree86-fontserver && rpm -U XFree86-fontserver-3.3.2-1.i386.rpm rpm -q XFree86-imake && rpm -U XFree86-imake-3.3.2-1.i386.rpm rpm -q XFree86-libs && rpm -U XFree86-libs-3.3.2-1.i386.rpm rpm -q XFree86-programs && rpm -U XFree86-programs-3.3.2-1.i386.rpm rpm -q XFree86-twm && rpm -U XFree86-twm-3.3.2-1.i386.rpm rpm -q XFree86-xdm && rpm -U XFree86-xdm-3.3.2-1.i386.rpm rpm -q XFree86-xsm && rpm -U XFree86-xsm-3.3.2-1.i386.rpm rpm -q XFree86-xterm && rpm -U XFree86-xterm-3.3.2-1.i386.rpm rpm -q XFree86-contrib && rpm -U XFree86-contrib-3.3.2-1.i386.rpm rpm -q XFree86-misc && rpm -U XFree86-misc-3.3.2-1.i386.rpm rpm -q XFree86-fonts-100dpi && rpm -U XFree86-fonts-100dpi-3.3.2-1.i386.rpm rpm -q XFree86-fonts && rpm -U XFree86-fonts-3.3.2-1.i386.rpm rpm -q XFree86-fonts-75dpi && rpm -U XFree86-fonts-75dpi-3.3.2-1.i386.rpm rpm -q XFree86-fonts-cyrillic && rpm -U XFree86-fonts-cyrillic-3.3.2-1.i386.rpm rpm -q XFree86-fonts-extra && rpm -U XFree86-fonts-extra-3.3.2-1.i386.rpm rpm -q XFree86-fonts-extra && rpm -U XFree86-fonts-scale-3.3.2-1.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on these problems can be found in XFree advisory XFree86-SA-1998:01 and CERT (VU#4257). See ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1. This security fix closes Caldera's internal Problem Reports 4004, 4023. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.11.txt,v 1.3 1998/07/24 13:05:08 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNbiGhOn+9R4958LpAQGufQQAvgzfxnjCDVo0LyXe6TYVHJDv24IXBfc8 41CDmhnuvUJfEr9/KmlUn6SN+eioTrUWXQBzopmT7DnKu8nXW8vx+e47Ijs87q9S UQib59HJr+1/rEhPKwVrbmm9OMjEQiDZaGJajW2uQCRtAQ5S9q7HIz999V0QPwl9 ilF8p8X44Vw= =1sQ+ -----END PGP SIGNATURE-----