From security-advisories@freebsd.org Thu Jul 13 01:04:14 2000 From: FreeBSD Security Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 5 Jul 2000 16:07:21 -0700 Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:27.XFree86-4 -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:27 Security Advisory FreeBSD, Inc. Topic: XFree86-4.0 port contains local root overflow Category: ports Module: Xfree86-4 Announced: 2000-07-05 Credits: Michal Zalewski Affects: Ports collection. Corrected: 2000-06-09 Vendor status: Vendor eventually released patch FreeBSD only: NO I. Background XFree86 4.0 is a development version of the popular XFree86 X Windows system. II. Problem Description XFree86 4.0 contains a local root vulnerability in the XFree86 server binary, due to incorrect bounds checking of command-line arguments. The server binary is setuid root, in contrast to previous versions which had a small setuid wrapper which performed (among other things) argument sanitizing. The XFree86-4 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release, but it was fixed in time for FreeBSD 3.5. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can obtain root access. If you have not chosen to install the XFree86-4 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the XFree86-4 port/package, if you you have installed it, or limit the execution file permissions on the /usr/X11R6/bin/XFree86 binary so that only members of a trusted group may run the binary. V. Solution At this time, we do not recommend using XFree86 4.0 on multi-user systems with untrusted users, because of the lack of security in the server binary. The current "stable" version, XFree86 3.3.6, is also available in FreeBSD ports. One of the following: 1) Upgrade your entire ports collection and rebuild the XFree86-4 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.tar.gz An updated version of XFree86, version 4.0.1, has just been released, which is believed to also fix the problems detailed in this advisory, however the X server is still installed setuid root and so the above warning against installation on multi-user machines still applies. The packages will be available at the following locations in the next few days: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.1.tar.gz 3) download a new port skeleton for the XFree86-4 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGrplUuHi5z0oilAQFDjgP9E3l6VG7ic+F0HMDsSDGbsYrIFM3hvBDJ hu22Vu/F18PyeOVrgZY4ljE/BvdSy4bJMJSDJsrP4jYicse7ArwvSLEJOjoIuPoK ErUCz34UgNAWs+zszFD0V5xAuWH3Oyii4qamqDnSaurYl6oKp5tPNx2vSrA3UDxM moK703Mpfak= =nu3f -----END PGP SIGNATURE-----