From bugzilla@redhat.com Mon Jun 30 19:21:42 2003 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Wed, 25 Jun 2003 11:53 -0400 Subject: [Full-Disclosure] [RHSA-2003:066-01] Updated XFree86 packages provide security and bug fixes [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated XFree86 packages provide security and bug fixes Advisory ID: RHSA-2003:066-01 Issue date: 2003-06-25 Updated on: 2003-06-25 Product: Red Hat Linux Keywords: Cross references: Obsoletes: RHSA-2002:068 CVE Names: CAN-2001-1409 CAN-2002-1472 CAN-2002-0164 CAN-2003-0063 CAN-2003-0071 - --------------------------------------------------------------------- 1. Topic: XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers. Updated XFree86 packages for Red Hat Linux 7.3 are now available which include several security fixes, bug fixes, enhancements, and driver updates. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: Security fixes: - - Xterm, provides an escape sequence for reporting the current window title. This escape sequence takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the victim's Xterm window title to an arbitrary command, and then reports it to the command line. Since it is not possible to embed a carriage return into the window title, the attacker would then have to convince the victim to press Enter for the shell to process the title as a command, although the attacker could craft other escape sequences that might convince the victim to do so. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0063 to this issue. - - It is possible to lock up versions of Xterm by sending an invalid DEC UDK escape sequence. (CAN-2003-0071) - - XFree86 4.2.1 also contains an updated fix for CAN-2002-0164, a vulnerability in the MIT-SHM extension of the X server that allows local users to read and write arbitrary shared memory. The original fix did not cover the case where the X server is started from xdm. - - The X server was setting the /dev/dri directory permissions incorrectly, which resulted in the directory being world writable. (CAN-2001-1409) Driver updates and additions: - - Savage driver updated to Tim Roberts' latest version 1.1.27t - - New "cyrix" driver which works better on MediaGX hardware. - - New input drivers for Fujitsu Stylistic (fpit), Palmax PD1000/PD1100 Input driver (palmax), Union Reality UR-98 head tracker (ur98) - - Backported apm driver, DPMS support enhancements, and a few accel fixes - - Backported chips driver, with hardware mouse cursor and 2D acceleration fixes - - Backported cirrus, i740, siliconmotion, and ark drivers Various bug fixes and enhancements: - - Stability improvements to RENDER extension and libraries - - Various fixes to the Xaw library - - Fix a long standing problem in the X server where the mouse, keyboard, or video would hang, or the server to go into an endless loop whenever the system time was changed backwards - - Fix a crash in the Radeon and Rage 128 drivers using VMware with DGA when DRI is enabled - - Work around some multihead and RENDER exention problems in the Matrox "mga" driver - - fc-cache is now run upon font package installation in all font directories containing fonts managed by fontconfig/Xft - - mkfontdir now forces the permissions of the files it generates to be mode 0644 to ensure they are world readable independant of umask - - A new option "ForceLegacyCRT" to the radeon driver allows use of legacy VGA monitors which can not be detected automatically. This option is only safe to use in single-head setups and may cause serious problems if used with dual-head. - - xterm session management is now enabled by default, whereas the stock XFree86 default in 4.2.0/4.2.1 was accidentally disabled upstream - - Removed and obsoleted the XFree86-xtrap-clients package, now merged into the main XFree86 package - - Added support for previously unsupported ATI Rage 128 video hardware - - Fixed Polish euro support - - Added neomagic Xvideo support which may work for some users - - Added fix for deadkey-quotedbl in ISO8859-15 - - Disabled debug messages in Cirrus Logic driver - - Fixed a bug in the VESA driver, where the X server would crash with an FPE when the DisplaySize option was used - - Fix to ATI Mach64 support which was out of PCI specs causing problems on some Dell and IBM servers - - Fix a problem which caused certain combinations of Radeon and Rage 128 hardware and particular motherboards to hang, due to bus mastering getting disabled when VT switching. There are various other fixes included which users can review by examining the RPM package changelog of any of the new XFree86 packages. Users are advised to upgrade to these updated XFree86 4.2.1 packages, which are not vulnerable to the previously mentioned security issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 64559 - Polish keymap not working 53329 - i810 XVideo limited to 720x576 64970 - default XftConfig prefers substitute fonts over originals 60895 - Screen turns red/magenta with XFree86-4.2.0-32 62820 - suggest Xnest and Xvfb should be User Interfaces/X instead of User Interfaces/X Hardware Support 50282 - Decimal key on Swedish numerical keyboard should be comma, not point 63609 - RFE: add XVideo support for neomagic chipset 65704 - XFree86.0.log filled disk - :-( 66009 - 'vesa' driver gives SIGFPE if you set a DIsplaySize 67323 - xon test of hostname --version fails 69291 - Dell PE2650 ATI Rage XL lockups due to PCI spec violation 58188 - system hard locks on specific video setting 69743 - Fix SysRq / Print Screen 62171 - ATI Radeon (all) lockup/corruption when VT switching 65330 - RedHat 7.3 Virtual Terminals no longer work when Graphical Login is used 62442 - Switching to VTs locks system - Dell Inspiron 4000 65136 - ATI Rage 128 (all) lockup when switching from console to X with DRI enabled. 66187 - XFree86 fails on i810 53231 - (i810) Screen freezes after leaving a Gnome session 40729 - xdm causes SEGVs setting up pam_response structure 63593 - (FPE) 1400x1050 fails with Radeon 7500 QW 6. RPMs required: Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/XFree86-4.2.1-13.73.3.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/XFree86-100dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-75dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-base-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-cyrillic-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-devel-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-doc-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-font-utils-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-libs-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-tools-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-truetype-fonts-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-twm-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-xdm-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-xf86cfg-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-xfs-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-Xnest-4.2.1-13.73.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/XFree86-Xvfb-4.2.1-13.73.3.i386.rpm 7. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- c6ff6c6d9c8e856f3ceb30ec8fb3148c 7.3/en/os/SRPMS/XFree86-4.2.1-13.73.3.src.rpm 0b9b017475ce7a9d88a9168ea656e19b 7.3/en/os/i386/XFree86-100dpi-fonts-4.2.1-13.73.3.i386.rpm adca65328e61db4da4e73583ec4bf9aa 7.3/en/os/i386/XFree86-4.2.1-13.73.3.i386.rpm 563027979b615f099a51ab84a67bdf8e 7.3/en/os/i386/XFree86-75dpi-fonts-4.2.1-13.73.3.i386.rpm 696135498da5040ee74c620a63fce23f 7.3/en/os/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.1-13.73.3.i386.rpm 6b89c364666d5d61278862cee5d493b1 7.3/en/os/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.1-13.73.3.i386.rpm da4f7fa407988abb31be98be7ba684ce 7.3/en/os/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.1-13.73.3.i386.rpm 1c4aa5d45eb4b3559d81f8771def8517 7.3/en/os/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.1-13.73.3.i386.rpm 7b6aee4b1d011bbb9deb05d4367ff72a 7.3/en/os/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.1-13.73.3.i386.rpm 458291226d503f6ecb17f99b42dc711f 7.3/en/os/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.1-13.73.3.i386.rpm 8a27f3a8849b4c08e1e68fae547b1cc3 7.3/en/os/i386/XFree86-Xnest-4.2.1-13.73.3.i386.rpm ef18d8c1bdcdb61c632c8f93ebdc0e66 7.3/en/os/i386/XFree86-Xvfb-4.2.1-13.73.3.i386.rpm 7533b8879b52e48f6890c7338663f104 7.3/en/os/i386/XFree86-base-fonts-4.2.1-13.73.3.i386.rpm 7f7f2935517f881f0c66efec42e0c1c3 7.3/en/os/i386/XFree86-cyrillic-fonts-4.2.1-13.73.3.i386.rpm 0c1d4304591659d46598d22afc18a1ac 7.3/en/os/i386/XFree86-devel-4.2.1-13.73.3.i386.rpm 19730f4a1b89fcbec9ac1fa0442a05ce 7.3/en/os/i386/XFree86-doc-4.2.1-13.73.3.i386.rpm 266efb5b2ee9497604e6a7b0766fa53c 7.3/en/os/i386/XFree86-font-utils-4.2.1-13.73.3.i386.rpm d08c8d0ff504328f836a679054153403 7.3/en/os/i386/XFree86-libs-4.2.1-13.73.3.i386.rpm c7c51136e166d8fbe330f33d6584c42a 7.3/en/os/i386/XFree86-tools-4.2.1-13.73.3.i386.rpm a7b32f8e1e04c161ed1a188efe14e97f 7.3/en/os/i386/XFree86-truetype-fonts-4.2.1-13.73.3.i386.rpm 434a969c7c1504696e8707718e94d35f 7.3/en/os/i386/XFree86-twm-4.2.1-13.73.3.i386.rpm d959bd18dcbaf07d3cef7a4406f9fcee 7.3/en/os/i386/XFree86-xdm-4.2.1-13.73.3.i386.rpm 31aa72de98e81ef6f73508544273a0df 7.3/en/os/i386/XFree86-xf86cfg-4.2.1-13.73.3.i386.rpm 7891b19bd3560b70a8a14da8f4de9fcf 7.3/en/os/i386/XFree86-xfs-4.2.1-13.73.3.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available from http://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0071 9. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE++cVYXlSAg2UNWIIRAp1xAKCy5W0+i3P5a1/jClbTEfQPedGyAgCfQamr iw51SZizQen2XIJCpBNb4Ro= =z0OX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html