Bug#4332: Vulnerability in the Xt library (fwd)

To: submit@bugs.debian.org
Subject: Bug#4332: Vulnerability in the Xt library (fwd)
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 29 Aug 1996 13:50:23 +0200 (MET DST)
Message-id: <[🔎] 199608291150.NAA06823@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4332@bugs.debian.org

Package: xlib
Version: 3.1.2-7

It seems there is a buffer overrun in libXt, which may be a security
hole (some programs using libXt, such as xterm, are setuid root).
I haven't tried to exploit it, but xterm -fg very_long_string
segfaults, so it might be exploitable (stack overwrite).  See the
attached message (which appeared on the bugtraq list) for a patch.

I haven't verified that the fix is indeed in XFree86-3.1.2F (just
released) - can't get to ftp.xfree86.org right now (too many users)
and can't find this version on mirror sites yet.

Marek

> Date:         Sun, 25 Aug 1996 22:05:16 -0700
> From: Ollivier Robert <roberto%keltia.freenix.fr@plearn.edu.pl>
> Subject:      Re: Vulnerability in the Xt library (fwd)
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

> According to John Capo:
> > Stefan `Sec` Zehl writes:
> > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh
> 
> > I can also.  The xterm cores on -stable though.
> 
> I sent a patch and a portable version of snprintf to both the X consortium
> and Xfree86 yesterday. It will be in 3.1.2F.
> 
> If you have XFree sources on-line and are willing to recompile, apply the
> following patch in xc/lib/Xt:
> 
> --- Error.c.old Sun Aug 25 14:57:28 1996
> +++ Error.c     Sun Aug 25 14:47:14 1996
> @@ -238,5 +238,5 @@
>         (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>         bzero( &par[i], (10-i) * sizeof(String) );
> -        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> +        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
>                        par[4], par[5], par[6], par[7], par[8], par[9]);
>         XtError(message);
> @@ -263,5 +263,5 @@
>         (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>         bzero ( &par[i], (10-i) * sizeof(String) );
> -        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> +        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
>                        par[4], par[5], par[6], par[7], par[8], par[9]);
>         XtWarning(message);
> 
> --
> Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996
>

Reply to:

Prev by Date: Bug#4331: [linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
Next by Date: Bug#4190: Bug4190: serious security hole in libc (resolver)
Previous by thread: Bug#4331: linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
Next by thread: Bug#4190: Bug4190: serious security hole in libc (resolver)
Index(es):
- Date
- Thread