[3198] in bugtraq
Re: Possible bufferoverflow condition in lpr, xterm and xload
daemon@ATHENA.MIT.EDU (Igor Chudov @ home)
Sun Aug 18 16:13:49 1996
Date: Sun, 18 Aug 1996 09:34:47 -0500
Reply-To: Igor Chudov <ichudov@algebra.com>
From: "Igor Chudov @ home" <ichudov@algebra.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.LNX.3.91.960817233142.11244A-100000@tester.randomc.com>
from "*Unknown*" at Aug 17, 96 11:37:50 pm
*Unknown* wrote:
> > I'm running XFree86 3.1.2E on a FreeBSD 2.2-960801-SNAP system.=
..
> > ``xterm -display `perl -e "print 'abcde' x 1000, ':0';"`'' causes a
> > segfault (but doesn't drop a core).
>
> I am running XFree86 as well on a Linux 2.0.7 (redhat) system.
>
> xterm -display `perl -e "print 'a' x 2000"` caused xterm to segfault =
with
> no core drop (notice I left off the :0 and it segfaulted). I've tried=
to
> gain a root shell, but with no success so far.
By the way, it did not crash my xterm.
How about the real solution to the xterm woes:
1. Make utmp and wtmp owned by user root, group (say) acctg, and mode 6=
64.
2. instead of setuiding xterm as root, make it setgid acctg.
This way the worst consequence of hacking xterm would be compromise of
accounting files, but not the root user.
Is there anything else that xterm needs to do as root besides updating
{w|u}tmp? I don't think so, I made a copy in mode 755=A0and it worked
fine with -ut option.
- Igor.
