Re: Debian NOT vulnerable to recently-announced Xlib security flaw
On Thu, 5 Sep 2002, Branden Robinson wrote:
>Date: Thu, 5 Sep 2002 11:44:54 -0500
>From: Branden Robinson <email@example.com>
>Content-Type: multipart/signed; micalg=pgp-sha1;
> protocol="application/pgp-signature"; boundary="u19xsR7broAOK+6q"
>Subject: Debian NOT vulnerable to recently-announced Xlib security flaw
>Greetings, friendly security folks.
>I've put some info up on the X Strike Force page about the recently
>announced Xlib flaw in XFree86 4.2.0.
>Please feel free to refer any panicked inquiries to
>I'm also happy to update my page with more information as it comes in.
>At first glance I'm not sure how to exploit this bug, and David Dawes
>didn't come right out and explain, but my initial guess is that you have
>to code a malicious Xlib internationalization module, put it in the
>right place, and wait for a privileged X client to execute.
That's basically the crux of it. A user can set XLOCALEDIR to
point to an arbitrary location, and cause arbitrary i18n modules
to be loaded. If the X client is SUID/SGID, then priveledge
elevation can be obtained and exploited via a custom .so module.
Most modern Linux distributions ship without any SUID/SGID apps
linked to Xlib, so the impact is much smaller than it is in some
other OS's. 3rd party apps however added onto a default distro
install could provide problems, so any distributions who have
officially shipped 4.2.0 in the past, probably should ship a
security erratum even if the default installation is secure.
Of course as you said before, Debian hasn't shipped 4.2.0
officially, so all Debian systems are safe unless a user is using
experimental builds of 4.2.0 or homebrew 4.2.0.
Also note to users, is that this bug is not remotely exploitable,
just locally exploitable. So if your system is single user, or
not mission critical, then the security problem is probably a
Hope this helps.
Mike A. Harris ftp://people.redhat.com/mharris
OS Systems Engineer
Red Hat Inc.