[1113] in linux-security and linux-alert archive
[linux-security] Re: Vulnerability in the Xt library (fwd)
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Thu Aug 29 19:27:11 1996
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 29 Aug 1996 13:35:46 +0200 (MET DST)
Following up my previous message... Another message from bugtraq,
which contains a patch to fix the libXt buffer overrun. I haven't
verified if the fix is indeed in the (just released) XFree86-3.1.2F
- can't get to ftp.xfree86.org right now (too many users), and can't
find this version on mirror sites yet.
Marek
[REW: I'm not sure that this made it into 3.1.2F. The X consortium
fixed a similar bug, which very likely came in too late (the 27th) to
make it into 3.1.2F. As an aside, the release of 3.1.2F was MUCH too
hasty. (These security bugs have nothing to do with that though.)]
> Date: Sun, 25 Aug 1996 22:05:16 -0700
> From: Ollivier Robert <roberto%keltia.freenix.fr@plearn.edu.pl>
> Subject: Re: Vulnerability in the Xt library (fwd)
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> According to John Capo:
> > Stefan `Sec` Zehl writes:
> > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh
>
> > I can also. The xterm cores on -stable though.
>
> I sent a patch and a portable version of snprintf to both the X consortium
> and Xfree86 yesterday. It will be in 3.1.2F.
>
> If you have XFree sources on-line and are willing to recompile, apply the
> following patch in xc/lib/Xt:
>
> --- Error.c.old Sun Aug 25 14:57:28 1996
> +++ Error.c Sun Aug 25 14:47:14 1996
> @@ -238,5 +238,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtError(message);
> @@ -263,5 +263,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero ( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtWarning(message);
>
> --
> Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996
>