Re: Debian NOT vulnerable to recently-announced Xlib security flaw

To: Branden Robinson <branden@debian.org>
Cc: security@debian.org, <debian-x@lists.debian.org>
Subject: Re: Debian NOT vulnerable to recently-announced Xlib security flaw
From: "Mike A. Harris" <mharris@redhat.com>
Date: Fri, 6 Sep 2002 18:09:37 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.44.0209061805150.18617-100000@devserv.devel.redhat.com>
In-reply-to: <[🔎] 20020905164454.GQ26297@deadbeast.net>

On Thu, 5 Sep 2002, Branden Robinson wrote:

>Date: Thu, 5 Sep 2002 11:44:54 -0500
>From: Branden Robinson <branden@debian.org>
>To: security@debian.org
>Cc: debian-x@lists.debian.org
>Content-Type: multipart/signed; micalg=pgp-sha1;
>	protocol="application/pgp-signature"; boundary="u19xsR7broAOK+6q"
>Subject: Debian NOT vulnerable to recently-announced Xlib security flaw
>
>Greetings, friendly security folks.
>
>I've put some info up on the X Strike Force page about the recently
>announced Xlib flaw in XFree86 4.2.0.
>
>Please feel free to refer any panicked inquiries to
>http://people.debian.org/~branden/
>
>I'm also happy to update my page with more information as it comes in.
>
>At first glance I'm not sure how to exploit this bug, and David Dawes
>didn't come right out and explain, but my initial guess is that you have
>to code a malicious Xlib internationalization module, put it in the
>right place, and wait for a privileged X client to execute.

That's basically the crux of it.  A user can set XLOCALEDIR to 
point to an arbitrary location, and cause arbitrary i18n modules 
to be loaded.  If the X client is SUID/SGID, then priveledge 
elevation can be obtained and exploited via a custom .so module.

Most modern Linux distributions ship without any SUID/SGID apps 
linked to Xlib, so the impact is much smaller than it is in some 
other OS's.  3rd party apps however added onto a default distro 
install could provide problems, so any distributions who have 
officially shipped 4.2.0 in the past, probably should ship a 
security erratum even if the default installation is secure.

Of course as you said before, Debian hasn't shipped 4.2.0 
officially, so all Debian systems are safe unless a user is using 
experimental builds of 4.2.0 or homebrew 4.2.0.

Also note to users, is that this bug is not remotely exploitable, 
just locally exploitable.  So if your system is single user, or 
not mission critical, then the security problem is probably a 
non-issue.

Hope this helps.
TTYL

-- 
Mike A. Harris		ftp://people.redhat.com/mharris
OS Systems Engineer
XFree86 maintainer
Red Hat Inc.

Reply to:

References:
- Debian NOT vulnerable to recently-announced Xlib security flaw
  - From: Branden Robinson <branden@debian.org>

Prev by Date: Re: help needed on Bug #148775
Next by Date: Re: XFree86 4.2.1 update release and Xlib security problem (fwd)
Previous by thread: Debian NOT vulnerable to recently-announced Xlib security flaw
Next by thread: help needed on Bug #148775
Index(es):
- Date
- Thread