-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory 1997.15: Vulnerability in XFree86 3.2 Caldera Security Advisory SA-1997.15 15-Aug-1997 Topic: Vulnerability in the XFree86 3.2 I. Problem Description Various vulnerabilities existed within the XFree86-3.2 product. Most of the vulnerabilities exhibited themselves via buffer overflows within certain X libraries. Most of the problems could be corrected by replacing these key libraries, however in a few cases specific programs had to be updated as well. II. Impact With these buffer overflow problems knowledgeable local users were able to gain unauthorized root access. To do this they had to a run a setuid root application linked against libX11. III. Solution Vulnerable dynamically linked applications are corrected by upgrading to the new versions of libs from the XFree86-3.3.1 release. Applications that were statically linked with the effected libraries must be replaced. This would also include development packages if you are doing X package development on your system. An update script, "XFree86_security_update" is provided to assist in eliminating the know problems. This script, associated text files, the binary and source RPMS, and the README.security file can be found on the ftp.caldera.com site in the following directories: pub/openlinux/updates/1.1/008 or pub/openlinux/updates/1.1/current The "current" directory will always link to the most recent updates available for this or any other problem corrections. The MD5 checksums (from the "md5sum" command) for the packages found in the directories are: c404217089714d701adb71e424a0a644 33_video_card_list.txt a0cae869f394b320ba2c39df87cf0ef5 README.general e6cc01bd5e5203adfab12057344d10bd README.security 9b8d327f172377e3db5576abbdf69c83 RELNOTES.txt ed8687972daf74752e1dbf2a98858256 RPMS/XFree86-3.3.1-1.i386.rpm c1c088d7c578772c154b14bb8f136938 RPMS/XFree86-8514-3.3.1-1.i386.rpm 4e7d8d8a946b44e67af12ec21d952150 RPMS/XFree86-AGX-3.3.1-1.i386.rpm 34e4bbd0aa87b826b1cd845adbb6a220 RPMS/XFree86-I128-3.3.1-1.i386.rpm bf47ff8f81d39f41297b930ff9c4e84c RPMS/XFree86-Mach32-3.3.1-1.i386.rpm 487c831c4c3d5f68f85848cbbce4ca65 RPMS/XFree86-Mach64-3.3.1-1.i386.rpm 825cde16f24dd4c548bfccb1a5c440d4 RPMS/XFree86-Mach8-3.3.1-1.i386.rpm 76110254befeb15022a3eb4ff68a86c3 RPMS/XFree86-Mono-3.3.1-1.i386.rpm 1f3951d66b1a41a5e6cadfc352b3fb3c RPMS/XFree86-P9000-3.3.1-1.i386.rpm 970d6f962729966e36cf4fabd3d046a6 RPMS/XFree86-S3-3.3.1-1.i386.rpm cce079e1c7a5d30869a2f6c2c7d2e778 RPMS/XFree86-S3V-3.3.1-1.i386.rpm ef4158a9750d75fc05a5e7a40cc9f66b RPMS/XFree86-SVGA-3.3.1-1.i386.rpm 83538023a77c08dcfa9f1f4368201317 RPMS/XFree86-VGA16-3.3.1-1.i386.rpm faa58d32bf1ef372d46b0665894c1fba RPMS/XFree86-W32-3.3.1-1.i386.rpm a852e2e9a96a9380e5a91363b1b321b9 RPMS/XFree86-Xnest-3.3.1-1.i386.rpm 48a0dcf86ef8ce4dd392c945ae27c19c RPMS/XFree86-Xprt-3.3.1-1.i386.rpm 3c35977945325bab3e8e8b67453ce160 RPMS/XFree86-Xvfb-3.3.1-1.i386.rpm 5b4aca7ad5689aac9f1fd83ef9f16ca2 RPMS/XFree86-addons-3.3.1-1.i386.rpm 2f9bec35c55abc6e56abf28d5db50333 RPMS/XFree86-contrib-3.3.1-1.i386.rpm ec2da1c2e2c805b69305134842dbd811 RPMS/XFree86-devel-3.3.1-1.i386.rpm 53ad58421c04b9cef3062521b3b48d1a RPMS/XFree86-develprof-3.3.1-1.i386.rpm 6d1d3e405f3dba20fa1651f8c8b9c9f9 RPMS/XFree86-develstatic-3.3.1-1.i386.rpm 65ea1446b20be4619f9d1166645faf0a RPMS/XFree86-fonts-3.3.1-1.i386.rpm 6d98d115bd5f1f8179f907b6ee0f3c09 RPMS/XFree86-fonts100-3.3.1-1.i386.rpm 1efa2634edc5ac7527c4c19f7c572ab5 RPMS/XFree86-fonts75-3.3.1-1.i386.rpm f371ed3eeda6afde75ef0360943d6cfc RPMS/XFree86-fontscyrillic-3.3.1-1.i386.rpm 9c94f0ba1a6953266759b86efc7c6486 RPMS/XFree86-fontserver-3.3.1-1.i386.rpm 125611d791401c6d067af59bd8654a77 RPMS/XFree86-fontsextra-3.3.1-1.i386.rpm 28ff5403fc1f1c86bca7180160dae9ef RPMS/XFree86-fontsscale-3.3.1-1.i386.rpm 53c997bd1b081554e2f5a7696bb3ccb5 RPMS/XFree86-imake-3.3.1-1.i386.rpm fc5583e1164f2eaf66703a8c93787f2c RPMS/XFree86-libs-3.3.1-1.i386.rpm 065fa8403f519f71e09fc8913f8fa478 RPMS/XFree86-misc-3.3.1-1.i386.rpm 388923f99c8cf77b682e86c8cbbe6b22 RPMS/XFree86-programs-3.3.1-1.i386.rpm e2436867be7b6889c171f7e426c51e77 RPMS/XFree86-server-3.3.1-1.i386.rpm 4d8d8c52b9d16a928cf557243aa1dff5 RPMS/XFree86-server-devel-3.3.1-1.i386.rpm 3f3731cfcd6db85d5c9a961cd667389a RPMS/XFree86-server-modules-3.3.1-1.i386.rpm 7d4f221455eeb71aa274d7eae1b7d9ad RPMS/XFree86-setup-3.3.1-1.i386.rpm ae0073399d4b1dc3f3fd8d2f4c86e500 RPMS/XFree86-twm-3.3.1-1.i386.rpm ec89dab74c9f500f4056adf4d0907075 RPMS/XFree86-xdm-3.3.1-1.i386.rpm e671bdc19d9f9786da21116f0ed053ab RPMS/XFree86-xsm-3.3.1-1.i386.rpm 0b995c6c53ea4a50317ce2813ca9545e RPMS/XFree86-xterm-3.3.1-1.i386.rpm 61d823596fc42aca55b07ea619d76a17 RPMS/zz_3dlook-1.0-8.i386.rpm e71939fde53a2528374744624cbb6808 SRPMS/XFree86-3.3.1-1.src.rpm 3e9ccaedc9fc09ebd7d6a7774cafce5e SRPMS/XFree86-contrib-3.3.1-1.src.rpm dec59defa85894963e4453b2d0a2bb26 SRPMS/XFree86-fonts-3.3.1-1.src.rpm 8ea240d53af78ab9ea7ffa226b29208f SRPMS/XFree86-server-3.3.1-1.src.rpm 44c95cf34f35f257b033960691e54e90 SRPMS/zz_3dlook-1.0-8.src.rpm 9e534e641b6425c76a371819e172aa43 XFree86_security_update aa6e292b437d251a39e3561ce6991539 supported_video-cards.txt IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This advisory is based on the security problems as referenced below. The numbers refer to Caldera internal problem reports. Number: 806 Synopsis: libX11 / libXt buffer overflows patches Original reference for this problem came via BUGTRAQ@NETSPACE.ORG Date: Thu, 29 May 1997 14:37:39 -0700 From: Alex Belits Number: 822 Synopsis: SECURITY: More overflows in libX11 Original reference also comes through BUGTRAQ@NETSPACE.ORG From: Alex Belits Number: 824 Synopsis: X11R6.3 public fix #02 now available The origins of this problem have not been positively identified, however the information on availability of the corrections came from the following message: From: kaleb@opengroup.org (Kaleb S. KEITHLEY) Newsgroups: comp.windows.x.announce Subject: X11R6.3 public fix #02 now available Date: 1 Jul 97 20:12:33 GMT V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.14,v 1.2 1997/09/03 18:38:53 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNBV79On+9R4958LpAQEifwQAmETS5UJux2yGnG0PZwyFT8LkQJdSktNG ecSO2g7PQn42Orjum9oE4hhwE7p4z2CuW/3fS7CZYA+1wue9wgiozLQxr9QgY4cH C6PlXfCxuTMJTmeg17/I2zrOBZLZKk5isKTeyPUERy1m+MlX8or+V27Vv7oZqPYQ xWTahuNgupw= =lDEm -----END PGP SIGNATURE-----