Date sent:        Thu, 08 May 1997 10:46:47 +0200
From:             Peter Jurg <Peter.Jurg@surfnet.nl>
-----BEGIN PGP SIGNED MESSAGE-----

==========================================================================
Security Advisory                                                  CERT-NL
==========================================================================
Author/Source : Peter Jurg                             Index  :    S-97-32
Distribution  : World                                  Page   :          1
Classification: External                               Version:          1
Subject       : Vulnerability in xlock                 Date   :  08-mei-97
==========================================================================

By courtesy of CERT Coordination Center we received the following
information.

CERT Coordination Center advisory CA-97.13.xlock reports that a buffer
overflow condition exists in some implementations of xlock.

This vulnerability makes it possible for local users (users with access
to an account on the system) to execute arbitrary programs as a
privileged user.

This advisory provides vendor patch information and describes a
workaround.

CERT-NL recommends to act according to the CERT-CC advisory.

All CERT Coordination Center advisories are mirrored by CERT-NL.
The specific URL for this case is:

<ftp://ftp.surfnet.nl/surfnet/net-security/
cert-cc-mirror/cert_advisories/CA-97.13.xlock>

ADVISORIES ARE REGULARLY UPDATED BY CERT COORDINATION CENTER.
Therefore we advise you to check on our mirror regularly -
you can automate this process using the CERT-NL notifier service.

More information about the CERT-NL mirror and notifier services is
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror),
both present on
<ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/>

=========================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related
institutes. CERT-NL is a member of the Forum of Incident Response and
Security Teams (FIRST).

All CERT-NL material is available under:
  <http://www.surfnet.nl/surfnet/security/cert-nl.html>
  <ftp://ftp.surfnet.nl/surfnet/net-security>

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a
SURFnet customer please address the appropriate (local)
CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
=========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2, by FileCrypt 1.0

iQCVAwUBM3GSD0U5nQkWIq1FAQGFLAQApLRBWKeQxJ23Sb99/YTT+qSnmZsKlkLD
LCHdO3cyjiOpKZEleaAw8hcDf51clMEGhSGxCXrXdWcW+ITRDfV2nh2AlAV8LsIt
LKYVkq0CokZvbVSInhf8PM7QaoO6hzb6hxFEkJV9I8Cl+ga8oRGR9QeEoRjbivcu
W0aBgdohNz8=
=LurJ
-----END PGP SIGNATURE-----