Bug#4364: forwarded message from Marek Michalkiewicz
Package: xlib
Version: ?
We have this bug, don't we ? It should be fixed.
Ian.
------- start of forwarded message (RFC 934 encapsulation) -------
Article: 918 of chiark.mail.linux-security
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
MIME-Version: 1.0
Message-ID: <199608291135.NAA06512@i17linuxb.ists.pwr.wroc.pl>
Newsgroups: chiark.mail.linux-security
Path: ewrotcd!mail-to-news!not-for-mail
Precedence: list
Received-001: from gate.insite.co.uk ([193.123.212.10]) by chiark.chu.cam.ac.uk
with smtp (ident root using rfc1413) id m0uwIIx-0004OtC
(Debian /\oo/\ Smail3.1.29.1 #29.35); Fri, 30 Aug 96 02:23 BST
Received-002: from marmoset.cv.nrao.edu (root@marmoset.cv.nrao.edu [192.33.115.176]) by gate.insite.co.uk (8.6.9/8.6.12) with ESMTP id AAA24770; Fri, 30 Aug 1996 00:36:56 GMT
Received-003: from tarsier.cv.nrao.edu (majdom@tarsier.cv.nrao.edu [192.33.115.50]) by marmoset.cv.nrao.edu (8.6.12/$Revision: 3.22 $) with ESMTP id SAA20072; Thu, 29 Aug 1996 18:39:26 -0400
Received-004: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.13/$Revision: 2.10 $) id SAA19717; Thu, 29 Aug 1996 18:40:02 -0400
Return-Path: <owner-linux-security@tarsier.cv.nrao.edu>
X-Mailer: ELM [version 2.4 PL25 PGP2]
X-Original-Date: Thu, 29 Aug 1996 13:35:46 +0200 (MET DST)
X-Original-From_: owner-linux-security@tarsier.cv.nrao.edu Fri Aug 30 02:24:24 1996
Lines: 51
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Sender: owner-linux-security@tarsier.cv.nrao.edu
To: linux-security@tarsier.cv.nrao.edu
Subject: [linux-security] Re: Vulnerability in the Xt library (fwd)
Date: Fri, 30 Aug 1996 04:52:11 GMT
Following up my previous message... Another message from bugtraq,
which contains a patch to fix the libXt buffer overrun. I haven't
verified if the fix is indeed in the (just released) XFree86-3.1.2F
- - can't get to ftp.xfree86.org right now (too many users), and can't
find this version on mirror sites yet.
Marek
[REW: I'm not sure that this made it into 3.1.2F. The X consortium
fixed a similar bug, which very likely came in too late (the 27th) to
make it into 3.1.2F. As an aside, the release of 3.1.2F was MUCH too
hasty. (These security bugs have nothing to do with that though.)]
> Date: Sun, 25 Aug 1996 22:05:16 -0700
> From: Ollivier Robert <roberto%keltia.freenix.fr@plearn.edu.pl>
> Subject: Re: Vulnerability in the Xt library (fwd)
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> According to John Capo:
> > Stefan `Sec` Zehl writes:
> > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh
>
> > I can also. The xterm cores on -stable though.
>
> I sent a patch and a portable version of snprintf to both the X consortium
> and Xfree86 yesterday. It will be in 3.1.2F.
>
> If you have XFree sources on-line and are willing to recompile, apply the
> following patch in xc/lib/Xt:
>
> --- Error.c.old Sun Aug 25 14:57:28 1996
> +++ Error.c Sun Aug 25 14:47:14 1996
> @@ -238,5 +238,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtError(message);
> @@ -263,5 +263,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero ( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtWarning(message);
>
> --
> Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996
>
------- end -------
Reply to: